AW: BZ #21361 backport to version prior 2.26? Was: +
Sudler, Simon
simon.sudler@siemens.com
Sun Jan 1 00:00:00 GMT 2017
Hi Tulio,
>
> Hi Simon,
>
> "Sudler, Simon" <simon.sudler@siemens.com> writes:
>
> > I noticed, that the #21361 (CVE-2017-12132) issue was fixed for 2.26, but was not applied in the any older release branches. The patch
> applies perfectly for the code with the vulnerability, only the tests requires some backporting.
>
> It was also backported to glibc 2.25:
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=47db584c74e2bbcf1ba55e62d949c1a738da5e0a
>
> > Is there any reason why this issue has not been fixed in any older release?
>
> Because no one proposed this backport. ;-)
>
> Are you looking for a backport for a particular version?
I am locking at version 2.23. However I do believe that the backport/patch would work on any version from 2.20-24. I will try to backport the tests, since the actual code changes applies without any problem.
I was just wondering, why no one was locking into this. This glibc version is used by many distros and the CVE is also unpatched there.
Regards,
Simon
More information about the Libc-stable
mailing list