Bug#1051958: marked as done (glibc: CVE-2023-4527)
Your message dated Fri, 15 Sep 2023 05:51:28 + with message-id and subject line Bug#1051958: fixed in glibc 2.37-9 has caused the Debian Bug report #1051958, regarding glibc: CVE-2023-4527 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1051958: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051958 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: glibc Version: 2.37-8 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=30842 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.36-9+deb12u1 Control: found -1 2.36-9 Hi, The following vulnerability was published for glibc. CVE-2023-4527[0]: | Stack read overflow in getaddrinfo in no- mode If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-4527 https://www.cve.org/CVERecord?id=CVE-2023-4527 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=30842 Regards, Salvatore --- End Message --- --- Begin Message --- Source: glibc Source-Version: 2.37-9 Done: Aurelien Jarno We believe that the bug you reported is fixed in the latest version of glibc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1051...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Aurelien Jarno (supplier of updated glibc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Fri, 15 Sep 2023 07:33:43 +0200 Source: glibc Architecture: source Version: 2.37-9 Distribution: unstable Urgency: medium Maintainer: GNU Libc Maintainers Changed-By: Aurelien Jarno Closes: 1051958 Changes: glibc (2.37-9) unstable; urgency=medium . [ Samuel Thibault ] * debian/testsuite-xfail-debian.mk: Update xfails for hurd-i386. * debian/patches/hurd-i386/git-main_stack.diff: Avoid exposing the vm_region symbol. . [ Aurelien Jarno ] * debian/patches/git-updates.diff: update from upstream stable branch: - Fix a stack read overflow in getaddrinfo in no- mode (CVE-2023-4527). Closes: #1051958. Checksums-Sha1: f0341b8662788d5d2f273cea5f2a4102fd3dedaf 8959 glibc_2.37-9.dsc 0de1ecba67b4b03c3d07905aed1119e60b6c163a 407484 glibc_2.37-9.debian.tar.xz bfa0c83b8fbdf35a5ffdea170e5c1d92e6d05764 9643 glibc_2.37-9_source.buildinfo Checksums-Sha256: 4c991bbfb9a11d3f5434ad023250cdfde59c88d7ea8678f3c0c0ab05b67badd9 8959 glibc_2.37-9.dsc f849d0df21d70a32b64c6f5cba2e3f52e364e249611126e26cd08a6224da30c2 407484 glibc_2.37-9.debian.tar.xz 66a550fc4cd84677c017c81cef6a2e78355d69be82d8e8087b707dc23283f4c1 9643 glibc_2.37-9_source.buildinfo Files: 45c832db73620d8d94f313a397fc710a 8959 libs required glibc_2.37-9.dsc d0c235f328ce29dd283a3d88bc487a07 407484 libs required glibc_2.37-9.debian.tar.xz f7459cf854cb3f64ea5127d8625105e7 9643 libs required glibc_2.37-9_source.buildinfo -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmUD7SoACgkQE4jA+Jno M2sZ8RAAh6KpM+041XDdX/dK3rnIiUYQvCBQlZnUU7ZOFrG7EH3tTkon3CHltITF PS/yD3rAsJHCbEigArFzQ69DwXnFD0epvm63pg7slQGNi8jYkP8YHquABTdr9txC iTxqQc7BeHSmhgmsn+STDE3pxeE17k2+5LeaE/2WiysYD0GGltSdYi3BI7YOLAPg uxS0Pdx/WWdhPPwUvFdVDDatdhPZrrNp6lO5ZtMJQsrZGr627NITGk4jbK9qyH+5 uim9k6MsQ3HNDZI1+v9C8P9EOSPRhO6b/uFD5s5IRD/uT3VajT2B4rLOUHzRE/xr cbXOERMDArmq+SXowUqQRXrxu0qN3ScpEiIIZN81MW8rQDEBQ7zOxXNRETzd/2d9 Uzo0k373LQwgwFmfdKK+plMxcsCPgroaGNp9TCUgVToZa3jljKdyO3ok3vMNRS1B tJ7awW7uPSaLeN+JbLEoq1Umit3kPsptLMh2fsSlPiOsp7yX5u9o+lgnE2wU6BR9 1UfHBbJCITNQiQfWscHyDNrRSh6Yj8ryBDGLTrKS36E0cipSkjrJIfFgD1QPmPCa T1bUcccNe9udlxPZK4pA1t/U7yXu3hOw8kWihzmh+ghXjWRDEeaRbeVwOQoIkd2k Uoz7OhgLP8P/j4g9B8KaKC33dha9bGoth84ivEaiq2LOgGJV3SE= =HGPL -END PGP SIGNATURE End Message ---
Processing of glibc_2.37-9_source.changes
glibc_2.37-9_source.changes uploaded successfully to localhost along with the files: glibc_2.37-9.dsc glibc_2.37-9.debian.tar.xz glibc_2.37-9_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
[Git][glibc-team/glibc] Pushed new tag debian/2.37-9
Aurelien Jarno pushed new tag debian/2.37-9 at GNU Libc Maintainers / glibc -- View it on GitLab: https://salsa.debian.org/glibc-team/glibc/-/tree/debian/2.37-9 You're receiving this email because of your account on salsa.debian.org.
[Git][glibc-team/glibc][sid] releasing package glibc version 2.37-9
Aurelien Jarno pushed to branch sid at GNU Libc Maintainers / glibc Commits: 3abd5e3d by Aurelien Jarno at 2023-09-15T07:33:48+02:00 releasing package glibc version 2.37-9 - - - - - 1 changed file: - debian/changelog View it on GitLab: https://salsa.debian.org/glibc-team/glibc/-/commit/3abd5e3d1b26841528a9038b89108f76f3f8d9a3 -- View it on GitLab: https://salsa.debian.org/glibc-team/glibc/-/commit/3abd5e3d1b26841528a9038b89108f76f3f8d9a3 You're receiving this email because of your account on salsa.debian.org.
Bug#1051973: tzdata: no warning about moving US/* to tzdata-legacy
Package: tzdata Version: 2023c-10 Severity: important X-Debbugs-Cc: kup...@rawbw.com Dear Maintainer, After using synaptic or apt to upgrade tzdata from 2023c-7 to 2023c-10, I would get the wrong time in my desktop environments and on a virtual terminal (no X). I would get UTC, rather than my local time. Though the lightdm screen would display the correct time. I tracked this down to the fix for #1040997. So, changing TZ from US/Pacific to America/Los_Angeles makes the problem go away. Or, keeping TZ at US/Pacific, installing tzdata-legacy makes the problem go away. I'm okay with the change itself, but it really should get more visibility. That is, on upgrade the user should get some sort of heads-up that they are getting an incompatible change and may need to take corrective action. thanks, mike -- System Information: Debian Release: trixie/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.4.0-3-amd64 (SMP w/2 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages tzdata depends on: ii debconf [debconf-2.0] 1.5.82 tzdata recommends no packages. tzdata suggests no packages. -- debconf information: tzdata/Zones/Pacific: tzdata/Zones/Africa: tzdata/Zones/Europe: tzdata/Zones/Arctic: * tzdata/Zones/America: Los_Angeles * tzdata/Areas: America * tzdata/Zones/Etc: UTC tzdata/Zones/Australia: tzdata/Zones/Antarctica: tzdata/Zones/US: tzdata/Zones/Indian: tzdata/Zones/Atlantic: tzdata/Zones/SystemV: tzdata/Zones/Asia:
Re: /usr-merge and filesystem bootstrap
Hi, Answering for the glibc package. On 2023-09-12 20:15, Helmut Grohne wrote: > Once the Priority:required set only has that exception set left > unconverted, I will prepare patches for the entire exception set and > upload it coherently in one dinstall window. > > That exception set is: > * base-files > * bash > * coreutils maybe > * dash > * libc6 > * util-linux Do you mean you plan to upload source+binaries for all the above packages and for all architectures? How do you plan to handle ports architectures? > I request that affected maintainers reply to this mail: > * Are you ok with the proposed changes in principle? >+ Moving all files from / to /usr leaving no files in aliased > locations Yes. >+ Installing aliasing symbolic links in base-files and libc6 Yes. > * Are you fine in principle with me NMUing your package after having >reviewed the promised patch? Yes, with the condition that help is provided to fix the bugs resulting from moving files from / to /usr in the glibc packages. > * Do you readily see any flaw in the proposed transition already? I haven't looked at the details besides the changes you described above. Regards Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://aurel32.net signature.asc Description: PGP signature
Processed: Bug#1051958 marked as pending in glibc
Processing control commands: > tag -1 pending Bug #1051958 [src:glibc] glibc: CVE-2023-4527 Added tag(s) pending. -- 1051958: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051958 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
[Git][glibc-team/glibc][sid] debian/patches/git-updates.diff: update from upstream stable branch:
Aurelien Jarno pushed to branch sid at GNU Libc Maintainers / glibc Commits: 9e8ac9d4 by Aurelien Jarno at 2023-09-14T22:12:18+02:00 debian/patches/git-updates.diff: update from upstream stable branch: * debian/patches/git-updates.diff: update from upstream stable branch: - Fix a stack read overflow in getaddrinfo in no- mode (CVE-2023-4527). Closes: #1051958. - - - - - 2 changed files: - debian/changelog - debian/patches/git-updates.diff View it on GitLab: https://salsa.debian.org/glibc-team/glibc/-/commit/9e8ac9d4d3e57c6843276e0046286061cda4b480 -- View it on GitLab: https://salsa.debian.org/glibc-team/glibc/-/commit/9e8ac9d4d3e57c6843276e0046286061cda4b480 You're receiving this email because of your account on salsa.debian.org.
Processed: glibc: CVE-2023-4527
Processing control commands: > found -1 2.36-9+deb12u1 Bug #1051958 [src:glibc] glibc: CVE-2023-4527 Marked as found in versions glibc/2.36-9+deb12u1. > found -1 2.36-9 Bug #1051958 [src:glibc] glibc: CVE-2023-4527 Marked as found in versions glibc/2.36-9. -- 1051958: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051958 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1051958: glibc: CVE-2023-4527
Source: glibc Version: 2.37-8 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=30842 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.36-9+deb12u1 Control: found -1 2.36-9 Hi, The following vulnerability was published for glibc. CVE-2023-4527[0]: | Stack read overflow in getaddrinfo in no- mode If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-4527 https://www.cve.org/CVERecord?id=CVE-2023-4527 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=30842 Regards, Salvatore
