[yocto] Does CVE-2015-7547 affect eglibc?

[akuster808]

On 02/24/2016 08:38 AM, Mark Hatle wrote:
> On 2/23/16 6:14 PM, akuster808 wrote:
>>
>>
>> On 02/23/2016 02:52 PM, Darcy Watkins wrote:
>>> On Tue, 2016-02-23 at 13:51 -0800, Mark Hatle wrote:
>>>> On 2/23/16 1:53 PM, Khem Raj wrote:
>>>>> On Tue, Feb 23, 2016 at 2:25 PM, Darcy Watkins
>>>>>> CVE-2015-7547 glibc vulnerability has been published as affecting glibc
>>>>>> since ver 2.9 (fixed in 2.23 and patched in 2.22 and 2.21).
>>>>>>
>>>>>> Anyone know if we need the same security fixes in eglibc?
>>>>>
>>>>> yes you do. Eglibc was nothing but glibc+few fixes.
>>>>
>>>> Yes this affects all eglibc version 2.9 and newer up to glibc 2.23.
>>>>
>>>> As far as I'm aware, this affects all Yocto Project versions up to 2.0.
>>>
>>> I will be interested in knowing which Yocto Project versions will
>>> receive the fixes. 
>>
>> Master, 2.0 and 1.8 all have the fixes.
>> How far back do we go in matters like this?
> 
> Official support is current (in development) and the last two releases.  So up
> to about a year and a half of support.
> 
> After this point, it becomes community support.  This really means, if someone
> in the community wants to continue support past the YP's support guidelines they
> are welcome to do so -- but there won't be any official releases, only checkins
> to the repository.

much better explanation than mine.

thanks,
Armin
> 
> We have done this on some OpenSSL fixes in the past, but it was based on
> specific requests and people submitting the fixes to be included with older
> versions.
> 
>> 1.7 (dizzy) I plan on doing soon. beyond that I do not know. those are
>> all community supported.
>>
>> - armin
>>>
>>> Thanks in advance!
>>>
>>>> (The patch referenced by the security announcement applies to all of the
>>>> versions of glibc I've needed to apply it to for my customers.  A few per-line
>>>> tweaks might be necessary, but it was fairly easy.)
>>>
>>>
>