Does CVE-2015-7547 affect eglibc?

Does CVE-2015-7547 affect eglibc?

[Darcy Watkins]

Hi,

CVE-2015-7547 glibc vulnerability has been published as affecting glibc
since ver 2.9 (fixed in 2.23 and patched in 2.22 and 2.21).

Anyone know if we need the same security fixes in eglibc?

-- 

Regards,

Darcy

---

Darcy Watkins
Staff Engineer, Firmware
Sierra Wireless
13811 Wireless Way, Richmond, BC
Canada, V6V 3A4
[P1]

Re: Does CVE-2015-7547 affect eglibc?

[Khem Raj]

On Tue, Feb 23, 2016 at 2:25 PM, Darcy Watkins
<dwatkins@sierrawireless.com> wrote:
> Hi,
>
> CVE-2015-7547 glibc vulnerability has been published as affecting glibc
> since ver 2.9 (fixed in 2.23 and patched in 2.22 and 2.21).
>
> Anyone know if we need the same security fixes in eglibc?

yes you do. Eglibc was nothing but glibc+few fixes.

>
> --
>
> Regards,
>
> Darcy
>
> ---
>
> Darcy Watkins
> Staff Engineer, Firmware
> Sierra Wireless
> 13811 Wireless Way, Richmond, BC
> Canada, V6V 3A4
> [P1]
>
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto

Re: Does CVE-2015-7547 affect eglibc?

[Mark Hatle]

On 2/23/16 1:53 PM, Khem Raj wrote:
> On Tue, Feb 23, 2016 at 2:25 PM, Darcy Watkins
> <dwatkins@sierrawireless.com> wrote:
>> Hi,
>>
>> CVE-2015-7547 glibc vulnerability has been published as affecting glibc
>> since ver 2.9 (fixed in 2.23 and patched in 2.22 and 2.21).
>>
>> Anyone know if we need the same security fixes in eglibc?
> 
> yes you do. Eglibc was nothing but glibc+few fixes.

Yes this affects all eglibc version 2.9 and newer up to glibc 2.23.

As far as I'm aware, this affects all Yocto Project versions up to 2.0.


(The patch referenced by the security announcement applies to all of the
versions of glibc I've needed to apply it to for my customers.  A few per-line
tweaks might be necessary, but it was fairly easy.)

--Mark

>>
>> --
>>
>> Regards,
>>
>> Darcy
>>
>> ---
>>
>> Darcy Watkins
>> Staff Engineer, Firmware
>> Sierra Wireless
>> 13811 Wireless Way, Richmond, BC
>> Canada, V6V 3A4
>> [P1]
>>
>> --
>> _______________________________________________
>> yocto mailing list
>> yocto@yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/yocto

Re: Does CVE-2015-7547 affect eglibc?

[Darcy Watkins]

On Tue, 2016-02-23 at 13:51 -0800, Mark Hatle wrote:
> On 2/23/16 1:53 PM, Khem Raj wrote:
> > On Tue, Feb 23, 2016 at 2:25 PM, Darcy Watkins
> >> CVE-2015-7547 glibc vulnerability has been published as affecting glibc
> >> since ver 2.9 (fixed in 2.23 and patched in 2.22 and 2.21).
> >>
> >> Anyone know if we need the same security fixes in eglibc?
> > 
> > yes you do. Eglibc was nothing but glibc+few fixes.
> 
> Yes this affects all eglibc version 2.9 and newer up to glibc 2.23.
> 
> As far as I'm aware, this affects all Yocto Project versions up to 2.0.

I will be interested in knowing which Yocto Project versions will
receive the fixes.  How far back do we go in matters like this?

Thanks in advance!

> (The patch referenced by the security announcement applies to all of the
> versions of glibc I've needed to apply it to for my customers.  A few per-line
> tweaks might be necessary, but it was fairly easy.)


-- 

Regards,

Darcy

---

Darcy Watkins
Staff Engineer, Firmware
Sierra Wireless
13811 Wireless Way, Richmond, BC
Canada, V6V 3A4
[P1]

Re: Does CVE-2015-7547 affect eglibc?

[akuster808]

On 02/23/2016 02:52 PM, Darcy Watkins wrote:
> On Tue, 2016-02-23 at 13:51 -0800, Mark Hatle wrote:
>> On 2/23/16 1:53 PM, Khem Raj wrote:
>>> On Tue, Feb 23, 2016 at 2:25 PM, Darcy Watkins
>>>> CVE-2015-7547 glibc vulnerability has been published as affecting glibc
>>>> since ver 2.9 (fixed in 2.23 and patched in 2.22 and 2.21).
>>>>
>>>> Anyone know if we need the same security fixes in eglibc?
>>>
>>> yes you do. Eglibc was nothing but glibc+few fixes.
>>
>> Yes this affects all eglibc version 2.9 and newer up to glibc 2.23.
>>
>> As far as I'm aware, this affects all Yocto Project versions up to 2.0.
> 
> I will be interested in knowing which Yocto Project versions will
> receive the fixes. 

Master, 2.0 and 1.8 all have the fixes.
How far back do we go in matters like this?

1.7 (dizzy) I plan on doing soon. beyond that I do not know. those are
all community supported.

- armin
> 
> Thanks in advance!
> 
>> (The patch referenced by the security announcement applies to all of the
>> versions of glibc I've needed to apply it to for my customers.  A few per-line
>> tweaks might be necessary, but it was fairly easy.)
> 
> 

Re: Does CVE-2015-7547 affect eglibc?

[Mark Hatle]

On 2/23/16 6:14 PM, akuster808 wrote:
> 
> 
> On 02/23/2016 02:52 PM, Darcy Watkins wrote:
>> On Tue, 2016-02-23 at 13:51 -0800, Mark Hatle wrote:
>>> On 2/23/16 1:53 PM, Khem Raj wrote:
>>>> On Tue, Feb 23, 2016 at 2:25 PM, Darcy Watkins
>>>>> CVE-2015-7547 glibc vulnerability has been published as affecting glibc
>>>>> since ver 2.9 (fixed in 2.23 and patched in 2.22 and 2.21).
>>>>>
>>>>> Anyone know if we need the same security fixes in eglibc?
>>>>
>>>> yes you do. Eglibc was nothing but glibc+few fixes.
>>>
>>> Yes this affects all eglibc version 2.9 and newer up to glibc 2.23.
>>>
>>> As far as I'm aware, this affects all Yocto Project versions up to 2.0.
>>
>> I will be interested in knowing which Yocto Project versions will
>> receive the fixes. 
> 
> Master, 2.0 and 1.8 all have the fixes.
> How far back do we go in matters like this?

Official support is current (in development) and the last two releases.  So up
to about a year and a half of support.

After this point, it becomes community support.  This really means, if someone
in the community wants to continue support past the YP's support guidelines they
are welcome to do so -- but there won't be any official releases, only checkins
to the repository.

We have done this on some OpenSSL fixes in the past, but it was based on
specific requests and people submitting the fixes to be included with older
versions.

> 1.7 (dizzy) I plan on doing soon. beyond that I do not know. those are
> all community supported.
> 
> - armin
>>
>> Thanks in advance!
>>
>>> (The patch referenced by the security announcement applies to all of the
>>> versions of glibc I've needed to apply it to for my customers.  A few per-line
>>> tweaks might be necessary, but it was fairly easy.)
>>
>>

Re: Does CVE-2015-7547 affect eglibc?

[akuster808]

On 02/24/2016 08:38 AM, Mark Hatle wrote:
> On 2/23/16 6:14 PM, akuster808 wrote:
>>
>>
>> On 02/23/2016 02:52 PM, Darcy Watkins wrote:
>>> On Tue, 2016-02-23 at 13:51 -0800, Mark Hatle wrote:
>>>> On 2/23/16 1:53 PM, Khem Raj wrote:
>>>>> On Tue, Feb 23, 2016 at 2:25 PM, Darcy Watkins
>>>>>> CVE-2015-7547 glibc vulnerability has been published as affecting glibc
>>>>>> since ver 2.9 (fixed in 2.23 and patched in 2.22 and 2.21).
>>>>>>
>>>>>> Anyone know if we need the same security fixes in eglibc?
>>>>>
>>>>> yes you do. Eglibc was nothing but glibc+few fixes.
>>>>
>>>> Yes this affects all eglibc version 2.9 and newer up to glibc 2.23.
>>>>
>>>> As far as I'm aware, this affects all Yocto Project versions up to 2.0.
>>>
>>> I will be interested in knowing which Yocto Project versions will
>>> receive the fixes. 
>>
>> Master, 2.0 and 1.8 all have the fixes.
>> How far back do we go in matters like this?
> 
> Official support is current (in development) and the last two releases.  So up
> to about a year and a half of support.
> 
> After this point, it becomes community support.  This really means, if someone
> in the community wants to continue support past the YP's support guidelines they
> are welcome to do so -- but there won't be any official releases, only checkins
> to the repository.

much better explanation than mine.

thanks,
Armin
> 
> We have done this on some OpenSSL fixes in the past, but it was based on
> specific requests and people submitting the fixes to be included with older
> versions.
> 
>> 1.7 (dizzy) I plan on doing soon. beyond that I do not know. those are
>> all community supported.
>>
>> - armin
>>>
>>> Thanks in advance!
>>>
>>>> (The patch referenced by the security announcement applies to all of the
>>>> versions of glibc I've needed to apply it to for my customers.  A few per-line
>>>> tweaks might be necessary, but it was fairly easy.)
>>>
>>>
> 

Re: Does CVE-2015-7547 affect eglibc?

[Darcy Watkins]

Be careful about rushing out fixes. We are observing regressions in software triggered by changes in glibc  behaviour. 


---

Regards,

Darcy

Darcy Watkins
Staff Engineer, Firmware
Sierra Wireless
http://sierrawireless.com
[M3]

> On Feb 24, 2016, at 8:57 AM, akuster808 <akuster808@gmail.com> wrote:
> 
> 
> 
>> On 02/24/2016 08:38 AM, Mark Hatle wrote:
>>> On 2/23/16 6:14 PM, akuster808 wrote:
>>> 
>>> 
>>>> On 02/23/2016 02:52 PM, Darcy Watkins wrote:
>>>>> On Tue, 2016-02-23 at 13:51 -0800, Mark Hatle wrote:
>>>>>> On 2/23/16 1:53 PM, Khem Raj wrote:
>>>>>> On Tue, Feb 23, 2016 at 2:25 PM, Darcy Watkins
>>>>>>> CVE-2015-7547 glibc vulnerability has been published as affecting glibc
>>>>>>> since ver 2.9 (fixed in 2.23 and patched in 2.22 and 2.21).
>>>>>>> 
>>>>>>> Anyone know if we need the same security fixes in eglibc?
>>>>>> 
>>>>>> yes you do. Eglibc was nothing but glibc+few fixes.
>>>>> 
>>>>> Yes this affects all eglibc version 2.9 and newer up to glibc 2.23.
>>>>> 
>>>>> As far as I'm aware, this affects all Yocto Project versions up to 2.0.
>>>> 
>>>> I will be interested in knowing which Yocto Project versions will
>>>> receive the fixes.
>>> 
>>> Master, 2.0 and 1.8 all have the fixes.
>>> How far back do we go in matters like this?
>> 
>> Official support is current (in development) and the last two releases.  So up
>> to about a year and a half of support.
>> 
>> After this point, it becomes community support.  This really means, if someone
>> in the community wants to continue support past the YP's support guidelines they
>> are welcome to do so -- but there won't be any official releases, only checkins
>> to the repository.
> 
> much better explanation than mine.
> 
> thanks,
> Armin
>> 
>> We have done this on some OpenSSL fixes in the past, but it was based on
>> specific requests and people submitting the fixes to be included with older
>> versions.
>> 
>>> 1.7 (dizzy) I plan on doing soon. beyond that I do not know. those are
>>> all community supported.
>>> 
>>> - armin
>>>> 
>>>> Thanks in advance!
>>>> 
>>>>> (The patch referenced by the security announcement applies to all of the
>>>>> versions of glibc I've needed to apply it to for my customers.  A few per-line
>>>>> tweaks might be necessary, but it was fairly easy.)
> -- 
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto

Re: Does CVE-2015-7547 affect eglibc?

[Khem Raj]

[-- Attachment #1: Type: text/plain, Size: 2902 bytes --]

Can you describe the regressions in some more detail

> On Feb 25, 2016, at 5:43 PM, Darcy Watkins <dwatkins@sierrawireless.com> wrote:
> 
> Be careful about rushing out fixes. We are observing regressions in software triggered by changes in glibc  behaviour.
> 
> 
> ---
> 
> Regards,
> 
> Darcy
> 
> Darcy Watkins
> Staff Engineer, Firmware
> Sierra Wireless
> http://sierrawireless.com
> [M3]
> 
>> On Feb 24, 2016, at 8:57 AM, akuster808 <akuster808@gmail.com> wrote:
>> 
>> 
>> 
>>> On 02/24/2016 08:38 AM, Mark Hatle wrote:
>>>> On 2/23/16 6:14 PM, akuster808 wrote:
>>>> 
>>>> 
>>>>> On 02/23/2016 02:52 PM, Darcy Watkins wrote:
>>>>>> On Tue, 2016-02-23 at 13:51 -0800, Mark Hatle wrote:
>>>>>>> On 2/23/16 1:53 PM, Khem Raj wrote:
>>>>>>> On Tue, Feb 23, 2016 at 2:25 PM, Darcy Watkins
>>>>>>>> CVE-2015-7547 glibc vulnerability has been published as affecting glibc
>>>>>>>> since ver 2.9 (fixed in 2.23 and patched in 2.22 and 2.21).
>>>>>>>> 
>>>>>>>> Anyone know if we need the same security fixes in eglibc?
>>>>>>> 
>>>>>>> yes you do. Eglibc was nothing but glibc+few fixes.
>>>>>> 
>>>>>> Yes this affects all eglibc version 2.9 and newer up to glibc 2.23.
>>>>>> 
>>>>>> As far as I'm aware, this affects all Yocto Project versions up to 2.0.
>>>>> 
>>>>> I will be interested in knowing which Yocto Project versions will
>>>>> receive the fixes.
>>>> 
>>>> Master, 2.0 and 1.8 all have the fixes.
>>>> How far back do we go in matters like this?
>>> 
>>> Official support is current (in development) and the last two releases.  So up
>>> to about a year and a half of support.
>>> 
>>> After this point, it becomes community support.  This really means, if someone
>>> in the community wants to continue support past the YP's support guidelines they
>>> are welcome to do so -- but there won't be any official releases, only checkins
>>> to the repository.
>> 
>> much better explanation than mine.
>> 
>> thanks,
>> Armin
>>> 
>>> We have done this on some OpenSSL fixes in the past, but it was based on
>>> specific requests and people submitting the fixes to be included with older
>>> versions.
>>> 
>>>> 1.7 (dizzy) I plan on doing soon. beyond that I do not know. those are
>>>> all community supported.
>>>> 
>>>> - armin
>>>>> 
>>>>> Thanks in advance!
>>>>> 
>>>>>> (The patch referenced by the security announcement applies to all of the
>>>>>> versions of glibc I've needed to apply it to for my customers.  A few per-line
>>>>>> tweaks might be necessary, but it was fairly easy.)
>> --
>> _______________________________________________
>> yocto mailing list
>> yocto@yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/yocto
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto


[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 211 bytes --]