* [Buildroot] [git commit branch/next] package/glibc: security bump to 2.27
@ 2018-02-06 12:41 Thomas Petazzoni
2018-02-06 12:45 ` Yann E. MORIN
2018-02-06 16:50 ` Baruch Siach
0 siblings, 2 replies; 7+ messages in thread
From: Thomas Petazzoni @ 2018-02-06 12:41 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=c032e6825ad96e6d4b69cecde2402c02a2a356b5
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/next
See: https://sourceware.org/ml/libc-announce/2018/msg00000.html
https://sourceware.org/glibc/wiki/Release/2.27
Fixes the following CVEs:
CVE-2017-1000408
CVE-2017-1000409
CVE-2017-16997
CVE-2018-1000001
CVE-2018-6485
While at it, add license file hashes.
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
package/glibc/glibc.hash | 6 +++++-
package/glibc/glibc.mk | 2 +-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
index f3a6577d2a..86d3bb56dd 100644
--- a/package/glibc/glibc.hash
+++ b/package/glibc/glibc.hash
@@ -1,4 +1,8 @@
# Locally calculated (fetched from Github)
-sha256 0766875391224153502c5542a71b6e46db53b44691078b3130e1a0df41586430 glibc-glibc-2.26-107-g73a92363619e52c458146e903dfb9b1ba823aa40.tar.gz
+sha256 a74489d14f4017bee6a6c6fe76f1de0dbf7d66c8695116de5aadd141c4757892 glibc-glibc-2.27.tar.gz
# Locally calculated (fetched from Github)
sha256 5aa9adeac09727db0b8a52794186563771e74d70410e9fd86431e339953fd4bb glibc-arc-2017.09-release.tar.gz
+
+sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
+sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LIB
+sha256 61abdd6930c9c599062d89e916b3e7968783879b6be0ee1c6229dd6169def431 LICENSES
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index cf4bdec065..b674191b22 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -10,7 +10,7 @@ GLIBC_SITE = $(call github,foss-for-synopsys-dwc-arc-processors,glibc,$(GLIBC_VE
else
# Generate version string using:
# git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master
-GLIBC_VERSION = glibc-2.26-107-g73a92363619e52c458146e903dfb9b1ba823aa40
+GLIBC_VERSION = glibc-2.27
# Upstream doesn't officially provide an https download link.
# There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
# sometimes the connection times out. So use an unofficial github mirror.
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [git commit branch/next] package/glibc: security bump to 2.27
2018-02-06 12:41 [Buildroot] [git commit branch/next] package/glibc: security bump to 2.27 Thomas Petazzoni
@ 2018-02-06 12:45 ` Yann E. MORIN
2018-02-06 12:52 ` Baruch Siach
2018-02-06 16:50 ` Baruch Siach
1 sibling, 1 reply; 7+ messages in thread
From: Yann E. MORIN @ 2018-02-06 12:45 UTC (permalink / raw)
To: buildroot
All,
On 2018-02-06 13:41 +0100, Thomas Petazzoni spake thusly:
> commit: https://git.buildroot.net/buildroot/commit/?id=c032e6825ad96e6d4b69cecde2402c02a2a356b5
> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/next
Subject says "security bump". Sorry, but this is not a security bump.
This is a normal bump that happens to have security fixes.
Otherwise, almost any bump of almost any package is a security bump...
Regards,
Yann E. MORIN.
> See: https://sourceware.org/ml/libc-announce/2018/msg00000.html
> https://sourceware.org/glibc/wiki/Release/2.27
>
> Fixes the following CVEs:
> CVE-2017-1000408
> CVE-2017-1000409
> CVE-2017-16997
> CVE-2018-1000001
> CVE-2018-6485
>
> While at it, add license file hashes.
>
> Signed-off-by: Romain Naour <romain.naour@gmail.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
> package/glibc/glibc.hash | 6 +++++-
> package/glibc/glibc.mk | 2 +-
> 2 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/package/glibc/glibc.hash b/package/glibc/glibc.hash
> index f3a6577d2a..86d3bb56dd 100644
> --- a/package/glibc/glibc.hash
> +++ b/package/glibc/glibc.hash
> @@ -1,4 +1,8 @@
> # Locally calculated (fetched from Github)
> -sha256 0766875391224153502c5542a71b6e46db53b44691078b3130e1a0df41586430 glibc-glibc-2.26-107-g73a92363619e52c458146e903dfb9b1ba823aa40.tar.gz
> +sha256 a74489d14f4017bee6a6c6fe76f1de0dbf7d66c8695116de5aadd141c4757892 glibc-glibc-2.27.tar.gz
> # Locally calculated (fetched from Github)
> sha256 5aa9adeac09727db0b8a52794186563771e74d70410e9fd86431e339953fd4bb glibc-arc-2017.09-release.tar.gz
> +
> +sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
> +sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LIB
> +sha256 61abdd6930c9c599062d89e916b3e7968783879b6be0ee1c6229dd6169def431 LICENSES
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index cf4bdec065..b674191b22 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -10,7 +10,7 @@ GLIBC_SITE = $(call github,foss-for-synopsys-dwc-arc-processors,glibc,$(GLIBC_VE
> else
> # Generate version string using:
> # git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master
> -GLIBC_VERSION = glibc-2.26-107-g73a92363619e52c458146e903dfb9b1ba823aa40
> +GLIBC_VERSION = glibc-2.27
> # Upstream doesn't officially provide an https download link.
> # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
> # sometimes the connection times out. So use an unofficial github mirror.
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [git commit branch/next] package/glibc: security bump to 2.27
2018-02-06 12:45 ` Yann E. MORIN
@ 2018-02-06 12:52 ` Baruch Siach
2018-02-06 13:51 ` Peter Korsgaard
0 siblings, 1 reply; 7+ messages in thread
From: Baruch Siach @ 2018-02-06 12:52 UTC (permalink / raw)
To: buildroot
Hi Yann,
On Tue, Feb 06, 2018 at 01:45:36PM +0100, Yann E. MORIN wrote:
> On 2018-02-06 13:41 +0100, Thomas Petazzoni spake thusly:
> > commit: https://git.buildroot.net/buildroot/commit/?id=c032e6825ad96e6d4b69cecde2402c02a2a356b5
> > branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/next
>
> Subject says "security bump". Sorry, but this is not a security bump.
> This is a normal bump that happens to have security fixes.
>
> Otherwise, almost any bump of almost any package is a security bump...
When we know that a package bump fixes a known security issue we usually note
that in the subject line. Look for 'security' in commit subjects. You will
find that many (most?) are just version bumps.
baruch
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [git commit branch/next] package/glibc: security bump to 2.27
2018-02-06 12:52 ` Baruch Siach
@ 2018-02-06 13:51 ` Peter Korsgaard
0 siblings, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2018-02-06 13:51 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> Hi Yann,
> On Tue, Feb 06, 2018 at 01:45:36PM +0100, Yann E. MORIN wrote:
>> On 2018-02-06 13:41 +0100, Thomas Petazzoni spake thusly:
>> > commit: https://git.buildroot.net/buildroot/commit/?id=c032e6825ad96e6d4b69cecde2402c02a2a356b5
>> > branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/next
>>
>> Subject says "security bump". Sorry, but this is not a security bump.
>> This is a normal bump that happens to have security fixes.
>>
>> Otherwise, almost any bump of almost any package is a security bump...
> When we know that a package bump fixes a known security issue we usually note
> that in the subject line. Look for 'security' in commit subjects. You will
> find that many (most?) are just version bumps.
Indeed, this is in line with the other commits. It is somewhat sad that
glibc does not separate security fixes from feature releases, but that's
how it is.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [git commit branch/next] package/glibc: security bump to 2.27
2018-02-06 12:41 [Buildroot] [git commit branch/next] package/glibc: security bump to 2.27 Thomas Petazzoni
2018-02-06 12:45 ` Yann E. MORIN
@ 2018-02-06 16:50 ` Baruch Siach
2018-02-06 18:43 ` Romain Naour
1 sibling, 1 reply; 7+ messages in thread
From: Baruch Siach @ 2018-02-06 16:50 UTC (permalink / raw)
To: buildroot
Hi Thomas,
On Tue, Feb 06, 2018 at 01:41:48PM +0100, Thomas Petazzoni wrote:
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index cf4bdec065..b674191b22 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -10,7 +10,7 @@ GLIBC_SITE = $(call github,foss-for-synopsys-dwc-arc-processors,glibc,$(GLIBC_VE
> else
> # Generate version string using:
> # git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master
> -GLIBC_VERSION = glibc-2.26-107-g73a92363619e52c458146e903dfb9b1ba823aa40
> +GLIBC_VERSION = glibc-2.27
> # Upstream doesn't officially provide an https download link.
> # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
> # sometimes the connection times out. So use an unofficial github mirror.
Any reason not to use upstream tarball now that we use an official release?
https://ftp.gnu.org/gnu/glibc/glibc-2.27.tar.xz
baruch
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [git commit branch/next] package/glibc: security bump to 2.27
2018-02-06 16:50 ` Baruch Siach
@ 2018-02-06 18:43 ` Romain Naour
2018-02-06 18:58 ` Thomas Petazzoni
0 siblings, 1 reply; 7+ messages in thread
From: Romain Naour @ 2018-02-06 18:43 UTC (permalink / raw)
To: buildroot
Hi Baruch,
Le 6 f?vr. 2018 17:50, "Baruch Siach" <baruch@tkos.co.il> a ?crit :
Hi Thomas,
On Tue, Feb 06, 2018 at 01:41:48PM +0100, Thomas Petazzoni wrote:
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index cf4bdec065..b674191b22 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -10,7 +10,7 @@ GLIBC_SITE = $(call github,foss-for-synopsys-dwc-
arc-processors,glibc,$(GLIBC_VE
> else
> # Generate version string using:
> # git describe --match 'glibc-*' --abbrev=40
origin/release/MAJOR.MINOR/master
> -GLIBC_VERSION = glibc-2.26-107-g73a92363619e52c458146e903dfb9b1ba823aa40
> +GLIBC_VERSION = glibc-2.27
> # Upstream doesn't officially provide an https download link.
> # There is one (https://sourceware.org/git/glibc.git) but it's not
reliable,
> # sometimes the connection times out. So use an unofficial github mirror.
Any reason not to use upstream tarball now that we use an official release?
https://ftp.gnu.org/gnu/glibc/glibc-2.27.tar.xz
We are expecting to follow the glibc 2.27 stable branch as soon as new
commits are backported, so keep git things in place.
Romain
baruch
--
http://baruch.siach.name/blog/ ~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch at tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot at busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20180206/6966f94f/attachment.html>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [git commit branch/next] package/glibc: security bump to 2.27
2018-02-06 18:43 ` Romain Naour
@ 2018-02-06 18:58 ` Thomas Petazzoni
0 siblings, 0 replies; 7+ messages in thread
From: Thomas Petazzoni @ 2018-02-06 18:58 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 6 Feb 2018 19:43:07 +0100, Romain Naour wrote:
> > Any reason not to use upstream tarball now that we use an official release?
>
> > https://ftp.gnu.org/gnu/glibc/glibc-2.27.tar.xz
>
> We are expecting to follow the glibc 2.27 stable branch as soon as new
> commits are backported, so keep git things in place.
Fully agreed.
Thomas
--
Thomas Petazzoni, CTO, Bootlin (formerly Free Electrons)
Embedded Linux and Kernel engineering
http://bootlin.com
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-02-06 18:58 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-06 12:41 [Buildroot] [git commit branch/next] package/glibc: security bump to 2.27 Thomas Petazzoni
2018-02-06 12:45 ` Yann E. MORIN
2018-02-06 12:52 ` Baruch Siach
2018-02-06 13:51 ` Peter Korsgaard
2018-02-06 16:50 ` Baruch Siach
2018-02-06 18:43 ` Romain Naour
2018-02-06 18:58 ` Thomas Petazzoni
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox