[ELDK] glibc getaddrinfo() bug (CVE-2015-7547)
Albrecht Dreß
albrecht.dress at arcor.de
Fri Feb 19 19:27:29 CET 2016
Dear Wolfgang:
Am 19.02.16 08:44 schrieb(en) Wolfgang Denk:
> Yes, CVE-2015-7547 is serious enough to be fixed in a v5.8.1 bugfix release.
Great, that's good news indeed!
> Plain v5.8 ist based on Yocto 1.8.1, which does not contain the fix yet: Yocto 1.8.1 was released on Nov 6, 2015, while the CVE-2015-7547 fix was only added on Feb 17 (plus a number of other glibc fixes [for CVE-2015-8776, CVE-2015-9761, CVE-2015-8779, CVE-2015-8777] on Jan 22); a number of other components have also been fixed since (CVE-2015-7511, CVE-2016-2090, CVE-2016-2198, CVE-2016-2197, CVE-2016-1568, CVE-2016-0754, CVE-2016-0755, CVE-2016-0701, CVE-2015-3197, CVE-2015-0860, CVE-2015-8704, CVE-2015-8705,CVE-2016-1907, CVE-2015-1283, CVE-2015-8370, CVE-2014-9496, CVE-2014-9756, CVE-2015-7805, CVE-2015-8380, CVE-2015-8395, CVE-2015-8126, CVE-2015-7236, CVE-2015-3187, CVE-2015-7942, CVE-2015-8035, ...).
>
> So yes, there is reason for some updates...
I fully agree with you... Being paranoid is essential these days.
> However, due to the upcoming Embedded World trade show in Nuremberg next week wewill not be able to provide such an update as quickly as we'd like to. If you need the fixes faster, please feel free to go ahead and cherrypick/backport the related patches from Youcto mainline yourself.
I don't think it's *that* urgent for me. Not sure how other users think about it, but I guess having your statement that a patched version will be available in the near future is really all we need. And I think this should be the time to send you a huge THANK YOU for your efforts and for providing this great package as Free Software since so many years!
> If you post the patches here I promise to pick these up ASAP and roll them into v5.8.1.
>
> Thanks for bringing this up, and thanks in advance for any potential patches :-)
Unfortunately, I don't have the time to go to Nürnberg, but maybe I'll find some time to look into it...
Cheers,
Albrecht.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/eldk/attachments/20160219/56bf8a6e/attachment.sig>
More information about the eldk
mailing list