On Tue, 2023-10-03 at 21:05 +0100, Richard Purdie via lists.openembedded.org wrote: > On Mon, 2023-10-02 at 20:09 -0700, Hemraj, Deepthi via > lists.openembedded.org wrote: > > From: Deepthi Hemraj <[email protected]> > > > > Below commits on glibc-2.38 stable branch are updated. > > 0e1ef6779a (HEAD -> release/2.38/master, origin/release/2.38/master) > > manual/jobs.texi: Add missing @item EPERM for getpgid > > d94461bb86 string: Fix tester build with fortify enable with gcc < 12 > > 63250e9c57 iconv: restore verbosity with unrecognized encoding names (bug > > 30694) > > 00ae4f10b5 getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) > > b25508dd77 CVE-2023-4527: Stack read overflow with large TCP responses in > > no-aaaa mode > > 89da8bc588 NEWS: Add the 2.38.1 bug list > > d3ba6c1333 elf: Move l_init_called_next to old place of l_text_end in link > > map > > 750f19526a elf: Remove unused l_text_end field from struct link_map > > a3189f66a5 elf: Always call destructors in reverse constructor order (bug > > 30785) > > 7ae211a01b elf: Do not run constructors for proxy objects > > 92201f16cb libio: Fix oversized __io_vtables > > 5bdef6f27c io: Fix record locking contants for powerpc64 with > > __USE_FILE_OFFSET64 > > > > 0024-CVE-2023-4527.patch is dropped > > > > Signed-off-by: Deepthi Hemraj <[email protected]> > > --- > > meta/recipes-core/glibc/glibc-version.inc | 2 +- > > .../glibc/glibc/0024-CVE-2023-4527.patch | 219 ------------------ > > meta/recipes-core/glibc/glibc_2.38.bb | 1 - > > 3 files changed, 1 insertion(+), 221 deletions(-) > > delete mode 100644 meta/recipes-core/glibc/glibc/0024-CVE-2023-4527.patch > > I suspect that as well we deleting the patch, you need to add something > like: > > CVE_STATUS[CVE-2023-4527] = "fixed-version: Fixed in stable branch updates" > > otherwise we'll see CVEs reported against this again? > > There may be other CVEs which need adding too?
Since there appears to be a serious glibc issue we need to patch, I've gone ahead and added an update on top of this patch to pull in the new urgent pieces and set the CVE_STATUS accordingly. Please follow up with an additional patch for any other CVE_STATUS pieces I didn't cover. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188664): https://lists.openembedded.org/g/openembedded-core/message/188664 Mute This Topic: https://lists.openembedded.org/mt/101727838/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
