[yocto] Does CVE-2015-7547 affect eglibc?

Darcy Watkins dwatkins at sierrawireless.com
Thu Feb 25 17:43:15 PST 2016 

Be careful about rushing out fixes. We are observing regressions in software triggered by changes in glibc  behaviour. 


---

Regards,

Darcy

Darcy Watkins
Staff Engineer, Firmware
Sierra Wireless
http://sierrawireless.com
[M3]

> On Feb 24, 2016, at 8:57 AM, akuster808 <akuster808 at gmail.com> wrote:
> 
> 
> 
>> On 02/24/2016 08:38 AM, Mark Hatle wrote:
>>> On 2/23/16 6:14 PM, akuster808 wrote:
>>> 
>>> 
>>>> On 02/23/2016 02:52 PM, Darcy Watkins wrote:
>>>>> On Tue, 2016-02-23 at 13:51 -0800, Mark Hatle wrote:
>>>>>> On 2/23/16 1:53 PM, Khem Raj wrote:
>>>>>> On Tue, Feb 23, 2016 at 2:25 PM, Darcy Watkins
>>>>>>> CVE-2015-7547 glibc vulnerability has been published as affecting glibc
>>>>>>> since ver 2.9 (fixed in 2.23 and patched in 2.22 and 2.21).
>>>>>>> 
>>>>>>> Anyone know if we need the same security fixes in eglibc?
>>>>>> 
>>>>>> yes you do. Eglibc was nothing but glibc+few fixes.
>>>>> 
>>>>> Yes this affects all eglibc version 2.9 and newer up to glibc 2.23.
>>>>> 
>>>>> As far as I'm aware, this affects all Yocto Project versions up to 2.0.
>>>> 
>>>> I will be interested in knowing which Yocto Project versions will
>>>> receive the fixes.
>>> 
>>> Master, 2.0 and 1.8 all have the fixes.
>>> How far back do we go in matters like this?
>> 
>> Official support is current (in development) and the last two releases.  So up
>> to about a year and a half of support.
>> 
>> After this point, it becomes community support.  This really means, if someone
>> in the community wants to continue support past the YP's support guidelines they
>> are welcome to do so -- but there won't be any official releases, only checkins
>> to the repository.
> 
> much better explanation than mine.
> 
> thanks,
> Armin
>> 
>> We have done this on some OpenSSL fixes in the past, but it was based on
>> specific requests and people submitting the fixes to be included with older
>> versions.
>> 
>>> 1.7 (dizzy) I plan on doing soon. beyond that I do not know. those are
>>> all community supported.
>>> 
>>> - armin
>>>> 
>>>> Thanks in advance!
>>>> 
>>>>> (The patch referenced by the security announcement applies to all of the
>>>>> versions of glibc I've needed to apply it to for my customers.  A few per-line
>>>>> tweaks might be necessary, but it was fairly easy.)
> -- 
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto

More information about the yocto mailing list