Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8
On Fri, 2017-04-28 at 00:25 +0200, Aurelien Jarno wrote: > On 2017-04-27 22:58, Aurelien Jarno wrote: > > On 2017-04-23 21:18, Adam D. Barratt wrote: > > > On Thu, 2017-04-13 at 23:19 +0200, Aurelien Jarno wrote: > > > > I would like to upload a new glibc package for the next jessie release. > > > > Here is the changelog with some additional comment: > > > > > > > > * Update from upstream stable branch: > > > > - Fix PowerPC sqrt inaccuracy. Closes: #855606. > > > > > > > > This fixes a regression introduced in glibc 2.19-18+deb8u7, which > > > > slightly lower the precision of the sqrt function on PowerPC. This > > > > notably causes failures in the postgresql testsuite. This code is > > > > already present in stretch/sid. > > > > > > > > * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to > > > > fix a > > > > NULL pointer dereference in libresolv when receiving a T_UNSPEC > > > > internal > > > > QTYPE (CVE-2015-5180). Closes: #796106. > > > > > > > > This is a long standing security issue that has been fixed recently. > > > > It basically change the value of a constant so that it can't only be > > > > generated internally. The patch is already present in stretch/sid. > > > > > > While I doubt that either of the above should have any noticeable effect > > > on the installer, I'd appreciate a d-i ack in any case; CCing. > > > > As said on IRC, I have been pointed that the second patch actually > > breaks the breaks libnss/libnss-dns ABI. This means that the resolver > > might not work correctly if all the binaries using libnss are restarted. > > The same way there might be an issue on the d-i side if the libc in d-i > > and libnss-dns-udeb are out of sync. > > > > Therefore I'll do a new upload without the patch fixing CVE-2015-5180, > > leaving only the PowerPC fix. That should be either today or tomorrow. > > > > Sorry about this complication. > > I have just uploaded glibc_2.19-18+deb8u9. Flagged for acceptance. Regards, Adam
Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8
On 2017-04-27 22:58, Aurelien Jarno wrote: > On 2017-04-23 21:18, Adam D. Barratt wrote: > > On Thu, 2017-04-13 at 23:19 +0200, Aurelien Jarno wrote: > > > I would like to upload a new glibc package for the next jessie release. > > > Here is the changelog with some additional comment: > > > > > > * Update from upstream stable branch: > > > - Fix PowerPC sqrt inaccuracy. Closes: #855606. > > > > > > This fixes a regression introduced in glibc 2.19-18+deb8u7, which > > > slightly lower the precision of the sqrt function on PowerPC. This > > > notably causes failures in the postgresql testsuite. This code is > > > already present in stretch/sid. > > > > > > * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to > > > fix a > > > NULL pointer dereference in libresolv when receiving a T_UNSPEC > > > internal > > > QTYPE (CVE-2015-5180). Closes: #796106. > > > > > > This is a long standing security issue that has been fixed recently. > > > It basically change the value of a constant so that it can't only be > > > generated internally. The patch is already present in stretch/sid. > > > > While I doubt that either of the above should have any noticeable effect > > on the installer, I'd appreciate a d-i ack in any case; CCing. > > As said on IRC, I have been pointed that the second patch actually > breaks the breaks libnss/libnss-dns ABI. This means that the resolver > might not work correctly if all the binaries using libnss are restarted. > The same way there might be an issue on the d-i side if the libc in d-i > and libnss-dns-udeb are out of sync. > > Therefore I'll do a new upload without the patch fixing CVE-2015-5180, > leaving only the PowerPC fix. That should be either today or tomorrow. > > Sorry about this complication. I have just uploaded glibc_2.19-18+deb8u9. Regards, Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net signature.asc Description: PGP signature
Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8
On 2017-04-23 21:18, Adam D. Barratt wrote: > On Thu, 2017-04-13 at 23:19 +0200, Aurelien Jarno wrote: > > I would like to upload a new glibc package for the next jessie release. > > Here is the changelog with some additional comment: > > > > * Update from upstream stable branch: > > - Fix PowerPC sqrt inaccuracy. Closes: #855606. > > > > This fixes a regression introduced in glibc 2.19-18+deb8u7, which > > slightly lower the precision of the sqrt function on PowerPC. This > > notably causes failures in the postgresql testsuite. This code is > > already present in stretch/sid. > > > > * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a > > NULL pointer dereference in libresolv when receiving a T_UNSPEC internal > > QTYPE (CVE-2015-5180). Closes: #796106. > > > > This is a long standing security issue that has been fixed recently. > > It basically change the value of a constant so that it can't only be > > generated internally. The patch is already present in stretch/sid. > > While I doubt that either of the above should have any noticeable effect > on the installer, I'd appreciate a d-i ack in any case; CCing. As said on IRC, I have been pointed that the second patch actually breaks the breaks libnss/libnss-dns ABI. This means that the resolver might not work correctly if all the binaries using libnss are restarted. The same way there might be an issue on the d-i side if the libc in d-i and libnss-dns-udeb are out of sync. Therefore I'll do a new upload without the patch fixing CVE-2015-5180, leaving only the PowerPC fix. That should be either today or tomorrow. Sorry about this complication. Regards, Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net signature.asc Description: PGP signature
Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8
Control: tags -1 + pending On Mon, 2017-04-24 at 08:45 +0200, Aurelien Jarno wrote: > On 2017-04-23 21:58, Adam D. Barratt wrote: > > Control: tags -1 + confirmd > > > > On Sun, 2017-04-23 at 22:52 +0200, Cyril Brulebois wrote: > > > Adam D. Barratt(2017-04-23): > > > > While I doubt that either of the above should have any noticeable effect > > > > on the installer, I'd appreciate a d-i ack in any case; CCing. > > > > > > No objections, thanks. > > > > Thanks for the quick response. > > > > Aurelien, please feel free to upload. > > I have just upload it. Flagged for acceptance, thanks. Regards, Adam
Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8
On 2017-04-23 21:58, Adam D. Barratt wrote: > Control: tags -1 + confirmd > > On Sun, 2017-04-23 at 22:52 +0200, Cyril Brulebois wrote: > > Adam D. Barratt(2017-04-23): > > > While I doubt that either of the above should have any noticeable effect > > > on the installer, I'd appreciate a d-i ack in any case; CCing. > > > > No objections, thanks. > > Thanks for the quick response. > > Aurelien, please feel free to upload. I have just upload it. Thanks, Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net signature.asc Description: PGP signature
Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8
Control: tags -1 + confirmd On Sun, 2017-04-23 at 22:52 +0200, Cyril Brulebois wrote: > Adam D. Barratt(2017-04-23): > > While I doubt that either of the above should have any noticeable effect > > on the installer, I'd appreciate a d-i ack in any case; CCing. > > No objections, thanks. Thanks for the quick response. Aurelien, please feel free to upload. Regards, Adam
Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8
Adam D. Barratt(2017-04-23): > While I doubt that either of the above should have any noticeable effect > on the installer, I'd appreciate a d-i ack in any case; CCing. No objections, thanks. KiBi. signature.asc Description: Digital signature
Re: Bug#860276: jessie-pu: package glibc/2.19-18+deb8u8
On Thu, 2017-04-13 at 23:19 +0200, Aurelien Jarno wrote: > I would like to upload a new glibc package for the next jessie release. > Here is the changelog with some additional comment: > > * Update from upstream stable branch: > - Fix PowerPC sqrt inaccuracy. Closes: #855606. > > This fixes a regression introduced in glibc 2.19-18+deb8u7, which > slightly lower the precision of the sqrt function on PowerPC. This > notably causes failures in the postgresql testsuite. This code is > already present in stretch/sid. > > * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a > NULL pointer dereference in libresolv when receiving a T_UNSPEC internal > QTYPE (CVE-2015-5180). Closes: #796106. > > This is a long standing security issue that has been fixed recently. > It basically change the value of a constant so that it can't only be > generated internally. The patch is already present in stretch/sid. While I doubt that either of the above should have any noticeable effect on the installer, I'd appreciate a d-i ack in any case; CCing. Regards, Adam