[yocto] Does CVE-2015-7547 affect eglibc?

Khem Raj raj.khem at gmail.com
Thu Feb 25 23:52:18 PST 2016 

Can you describe the regressions in some more detail

> On Feb 25, 2016, at 5:43 PM, Darcy Watkins <dwatkins at sierrawireless.com> wrote:
> 
> Be careful about rushing out fixes. We are observing regressions in software triggered by changes in glibc  behaviour.
> 
> 
> ---
> 
> Regards,
> 
> Darcy
> 
> Darcy Watkins
> Staff Engineer, Firmware
> Sierra Wireless
> http://sierrawireless.com
> [M3]
> 
>> On Feb 24, 2016, at 8:57 AM, akuster808 <akuster808 at gmail.com> wrote:
>> 
>> 
>> 
>>> On 02/24/2016 08:38 AM, Mark Hatle wrote:
>>>> On 2/23/16 6:14 PM, akuster808 wrote:
>>>> 
>>>> 
>>>>> On 02/23/2016 02:52 PM, Darcy Watkins wrote:
>>>>>> On Tue, 2016-02-23 at 13:51 -0800, Mark Hatle wrote:
>>>>>>> On 2/23/16 1:53 PM, Khem Raj wrote:
>>>>>>> On Tue, Feb 23, 2016 at 2:25 PM, Darcy Watkins
>>>>>>>> CVE-2015-7547 glibc vulnerability has been published as affecting glibc
>>>>>>>> since ver 2.9 (fixed in 2.23 and patched in 2.22 and 2.21).
>>>>>>>> 
>>>>>>>> Anyone know if we need the same security fixes in eglibc?
>>>>>>> 
>>>>>>> yes you do. Eglibc was nothing but glibc+few fixes.
>>>>>> 
>>>>>> Yes this affects all eglibc version 2.9 and newer up to glibc 2.23.
>>>>>> 
>>>>>> As far as I'm aware, this affects all Yocto Project versions up to 2.0.
>>>>> 
>>>>> I will be interested in knowing which Yocto Project versions will
>>>>> receive the fixes.
>>>> 
>>>> Master, 2.0 and 1.8 all have the fixes.
>>>> How far back do we go in matters like this?
>>> 
>>> Official support is current (in development) and the last two releases.  So up
>>> to about a year and a half of support.
>>> 
>>> After this point, it becomes community support.  This really means, if someone
>>> in the community wants to continue support past the YP's support guidelines they
>>> are welcome to do so -- but there won't be any official releases, only checkins
>>> to the repository.
>> 
>> much better explanation than mine.
>> 
>> thanks,
>> Armin
>>> 
>>> We have done this on some OpenSSL fixes in the past, but it was based on
>>> specific requests and people submitting the fixes to be included with older
>>> versions.
>>> 
>>>> 1.7 (dizzy) I plan on doing soon. beyond that I do not know. those are
>>>> all community supported.
>>>> 
>>>> - armin
>>>>> 
>>>>> Thanks in advance!
>>>>> 
>>>>>> (The patch referenced by the security announcement applies to all of the
>>>>>> versions of glibc I've needed to apply it to for my customers.  A few per-line
>>>>>> tweaks might be necessary, but it was fairly easy.)
>> --
>> _______________________________________________
>> yocto mailing list
>> yocto at yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/yocto
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20160225/d5161b98/attachment.pgp>

More information about the yocto mailing list