[yocto] Does CVE-2015-7547 affect eglibc?
Darcy Watkins
dwatkins at sierrawireless.com
Thu Feb 25 17:43:15 PST 2016
Be careful about rushing out fixes. We are observing regressions in software triggered by changes in glibc behaviour.
---
Regards,
Darcy
Darcy Watkins
Staff Engineer, Firmware
Sierra Wireless
http://sierrawireless.com
[M3]
> On Feb 24, 2016, at 8:57 AM, akuster808 <akuster808 at gmail.com> wrote:
>
>
>
>> On 02/24/2016 08:38 AM, Mark Hatle wrote:
>>> On 2/23/16 6:14 PM, akuster808 wrote:
>>>
>>>
>>>> On 02/23/2016 02:52 PM, Darcy Watkins wrote:
>>>>> On Tue, 2016-02-23 at 13:51 -0800, Mark Hatle wrote:
>>>>>> On 2/23/16 1:53 PM, Khem Raj wrote:
>>>>>> On Tue, Feb 23, 2016 at 2:25 PM, Darcy Watkins
>>>>>>> CVE-2015-7547 glibc vulnerability has been published as affecting glibc
>>>>>>> since ver 2.9 (fixed in 2.23 and patched in 2.22 and 2.21).
>>>>>>>
>>>>>>> Anyone know if we need the same security fixes in eglibc?
>>>>>>
>>>>>> yes you do. Eglibc was nothing but glibc+few fixes.
>>>>>
>>>>> Yes this affects all eglibc version 2.9 and newer up to glibc 2.23.
>>>>>
>>>>> As far as I'm aware, this affects all Yocto Project versions up to 2.0.
>>>>
>>>> I will be interested in knowing which Yocto Project versions will
>>>> receive the fixes.
>>>
>>> Master, 2.0 and 1.8 all have the fixes.
>>> How far back do we go in matters like this?
>>
>> Official support is current (in development) and the last two releases. So up
>> to about a year and a half of support.
>>
>> After this point, it becomes community support. This really means, if someone
>> in the community wants to continue support past the YP's support guidelines they
>> are welcome to do so -- but there won't be any official releases, only checkins
>> to the repository.
>
> much better explanation than mine.
>
> thanks,
> Armin
>>
>> We have done this on some OpenSSL fixes in the past, but it was based on
>> specific requests and people submitting the fixes to be included with older
>> versions.
>>
>>> 1.7 (dizzy) I plan on doing soon. beyond that I do not know. those are
>>> all community supported.
>>>
>>> - armin
>>>>
>>>> Thanks in advance!
>>>>
>>>>> (The patch referenced by the security announcement applies to all of the
>>>>> versions of glibc I've needed to apply it to for my customers. A few per-line
>>>>> tweaks might be necessary, but it was fairly easy.)
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
More information about the yocto
mailing list