From: bugzilla@busybox.net
To: buildroot@uclibc.org
Subject: [Buildroot] [Bug 15895] New: glibc version 'GLIBC_VERSION' does not match released glibc version
Date: Wed, 20 Dec 2023 12:17:57 +0000 [thread overview]
Message-ID: <bug-15895-163@https.bugs.busybox.net/> (raw)
https://bugs.busybox.net/show_bug.cgi?id=15895
Bug ID: 15895
Summary: glibc version 'GLIBC_VERSION' does not match released
glibc version
Product: buildroot
Version: 2023.08
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Other
Assignee: unassigned@buildroot.uclibc.org
Reporter: peter.verbrugge@technolution.nl
CC: buildroot@uclibc.org
Target Milestone: ---
The glibc package generates its own version number for glibc. It seems to be on
purpose but this causes issues when matching versions against the official
glibc releases.
The version generated for 2023.08 seems to be
'glibc:2.37-2-g9f8513dc64119a424b312db97cef5d87d376defa' even though the glibc
project only released 2.37.
For tracking package versions used in a buildroot build we use 'make
show-info'. This generates a json blob containing all information about
packages, including a CPE string.
For glibc in 2023.08 this creates the following CPE string:
'cpe:2.3:a:gnu:glibc:2.37-2-g9f8513dc64119a424b312db97cef5d87d376defa:*:*:*:*:*:*:*'
This string does not match any known CVE security vulnerabilities. All reported
vulnerabilities are reported with the version number 2.37 (without the number
of commits since & hash).
There's probably a reason why buildroot has deviated from the glibc reported
version number & the versions used by the NIST that i'm not seeing, but this
makes the CPE export and subsequent security analysis unusable for glibc.
--
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next reply other threads:[~2023-12-20 12:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-20 12:17 bugzilla [this message]
2023-12-20 14:09 ` [Buildroot] [Bug 15895] glibc version 'GLIBC_VERSION' does not match released glibc version bugzilla
2023-12-20 18:35 ` bugzilla
2023-12-20 20:03 ` bugzilla
2024-06-15 15:25 ` bugzilla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-15895-163@https.bugs.busybox.net/ \
--to=bugzilla@busybox.net \
--cc=buildroot@uclibc.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox