-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2018-060302dc83 2018-12-04 02:22:12.111599 --------------------------------------------------------------------------------
Name : glibc Product : Fedora 28 Version : 2.27 Release : 35.fc28 URL : http://www.gnu.org/software/glibc/ Summary : The GNU libc libraries Description : The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function.
-------------------------------------------------------------------------------- Update Information:
This update for the `glibc` package addresses one moderate security vulnerability and several defects. * CVE-2018-19591: A file descriptor leak in `if_nametoindex` can lead to a denial of service due to resource exhaustion when processing `getaddrinfo` calls with crafted host names. Reported by Guido Vranken. (RHBZ#1654000) * Failure to create the helper thread for `getaddrinfo_a`/`libanl` could result in a crash. (RHBZ#1646381) * On certain Haswell-class Intel CPUs, string function feature flags could be set incorrectly, leading to a suboptimal choice of string functions. (RHBZ#1641980) * Parallel building of locales led to nondeterminism in the RPM build process. (RHBZ#1652228) * Various minor bug fixes from the upstream 2.27 release branch were imported as part of this update ([swbz#17630](https://sourceware.org/bugzilla/show_bug.cgi?id=17630), [swbz#22753](https://sourceware.org/bugzilla/show_bug.cgi?id=22753), [swbz#23275](https://sourceware.org/bugzilla/show_bug.cgi?id=23275), [swbz#23562](https://sourceware.org/bugzilla/show_bug.cgi?id=23562), [swbz#23579](https://sourceware.org/bugzilla/show_bug.cgi?id=23579), [swbz#23822](https://sourceware.org/bugzilla/show_bug.cgi?id=23822)). -------------------------------------------------------------------------------- ChangeLog:
* Wed Nov 28 2018 Florian Weimer fweimer@redhat.com - 2.27-35 - Auto-sync with upstream branch release/2.27/master, commit 9f433fc791ca4f9d678903ff45b504b524c886fb: - CVE-2018-19591: if_nametoindex: Fix descriptor leak (#1654000) - libanl: proper cleanup if first helper thread creation failed (#1646381) - x86: Fix Haswell CPU string flags (#1641980) - resolv/tst-resolv-network.c: Additional test case (swbz#17630) - ia64: fix missing exp2f, log2f and powf symbols in libm.a (swbz#23822) - conform: XFAIL siginfo_t si_band test on sparc64 - signal: Use correct type for si_band in siginfo_t (swbz#23562) - pthread_mutex_lock: Fix race while promoting to PTHREAD_MUTEX_ELISION_NP (swbz#23275) - preadv2/pwritev2: Fix misreported errno (swbz#23579) - preadv2/pwritev2: Handle offset == -1 (swbz#22753) - posix_spawn: Fix potential segmentation fault * Mon Nov 26 2018 Florian Weimer fweimer@redhat.com - 2.27-34 - Do not use parallel make for building locales (#1652228) * Thu Aug 30 2018 Florian Weimer fweimer@redhat.com - 2.27-33 - Revert glibc_make_flags setting which is not needed in Fedora 28 (#1600034) * Wed Aug 29 2018 Florian Weimer fweimer@redhat.com - 2.27-32 - Auto-sync with upstream branch release/2.27/master, commit 2b47bb9cba048e778a7d832f284feccb14a40483: - nptl: Fix waiters-after-spinning case in pthread_cond_broadcast (#1622669) - x86: Correct index_cpu_LZCNT (swbz#23456) - x86: Populate COMMON_CPUID_INDEX_80000001 for Intel CPUs (swbz#23459) * Mon Aug 13 2018 Carlos O'Donell carlos@redhat.com - 2.27-31 - Remove abort() warning in manual (#1615608) * Wed Jul 11 2018 Florian Weimer fweimer@redhat.com - 2.27-30 - Auto-sync with upstream branch release/2.27/master, commit 68c1bf80978594388157c62fd2edd467d4e8dfb2: - regexec: Fix off-by-one bug in weight comparison (#1582229) - es_BO locale: Change LC_PAPER to en_US (swbz#22996) - conform/conformtest.pl: Escape literal braces in regular expressions * Wed Jul 11 2018 Florian Weimer fweimer@redhat.com - 2.27-29 - Add POWER9 multilib (downstream only) * Wed Jul 11 2018 Florian Weimer fweimer@redhat.com - 2.27-28 - Work around valgrind issue on i686 (#1600034) * Fri Jul 6 2018 Florian Weimer fweimer@redhat.com - 2.27-27 - Build additional files with stack protector * Fri Jul 6 2018 Florian Weimer fweimer@redhat.com - 2.27-26 - Enable build flags inheritance for nonshared flags * Fri Jul 6 2018 Florian Weimer fweimer@redhat.com - 2.27-25 - Inherit further build flags (downstream only) * Wed Jul 4 2018 Florian Weimer fweimer@redhat.com - 2.27-24 - Add annobin annotations to assembler code (downstream only) (#1548438) * Wed Jul 4 2018 Florian Weimer fweimer@redhat.com - 2.27-23 - Enable -D_FORTIFY_SOURCE=2 for nonshared code * Wed Jul 4 2018 Florian Weimer fweimer@redhat.com - 2.27-22 - Auto-sync with upstream branch release/2.27/master, commit 5fab7fe1dc9cab9a46cf5c8840aa9b7ea3a26296: - math: Set 387 and SSE2 rounding mode for tgamma on i386 (swbz#23253) * Wed Jul 4 2018 Florian Weimer fweimer@redhat.com - 2.27-21 - Switch to upstream implementation of --disable-crypt (#1566464) * Tue Jul 3 2018 Florian Weimer fweimer@redhat.com - 2.27-20 - Auto-sync with upstream branch release/2.27/master, commit 7602b9e48c30c146d52df91dd83e518b8d0d343b: - math: Fix parameter type in C++ version of iseqsig (swbz#23171) - Use _STRUCT_TIMESPEC as guard in <bits/types/struct_timespec.h> (swbz#23349) - getifaddrs: Don't return ifa entries with NULL names (swbz#21812) - libio: Disable vtable validation in case of interposition (swbz#23313) - stdio-common/tst-printf.c: Remove part under a non-free license (swbz#23363) * Wed Jun 20 2018 Florian Weimer fweimer@redhat.com - 2.27-19 - Modernise nsswitch.conf defaults (#1581809) * Mon Jun 18 2018 Florian Weimer fweimer@redhat.com - 2.27-18 - iconv: Make IBM273 equivalent to ISO-8859-1 (#1592270) * Mon Jun 18 2018 Florian Weimer fweimer@redhat.com - 2.27-17 - Align build flags inheritance with master (downstream only) * Mon Jun 18 2018 Florian Weimer fweimer@redhat.com - 2.27-16 - Auto-sync with upstream branch release/2.27/master, commit 80c83e91140d429c73f79092fdb75eed0fb71da0: - libio: Avoid _allocate_buffer, _free_buffer function pointers (swbz#23236) - posix: Fix posix_spawnp to not execute invalid binaries in non compat mode (swbz#23264) - elf: Improve DST handling (swbz#23102, swbz#21942, swbz#18018, swbz#23259) * Thu May 24 2018 Florian Weimer fweimer@redhat.com - 2.27-15 - Rebuild to add back .symtab section in ld.so (#1570246) - Switch to upstream version of libidn2 removal (#1452750) - Auto-sync with upstream branch release/2.27/master, commit 50df56ca86a281c8fd99a8100aac75539813788d: - CVE-2018-11237: Buffer overflow in mempcpy for Xeon Phi (#1581275) * Thu May 17 2018 Florian Weimer fweimer@redhat.com - 2.27-14 - Do not run telinit u on upgrades (#1579225) * Tue May 15 2018 Florian Weimer fweimer@redhat.com - 2.27-13 - Auto-sync with upstream branch release/2.27/master, commit 0cd4a5e87f6885a2f15fe8e7eb7378d010cdb606: - sunrpc: Remove stray exports (#1577210) - gd_GB: Fix typo in abbreviated "May" (swbz#23152) - CVE-2018-11236: realpath: Fix path length overflow (#1581270, swbz#22786) - elf: Fix stack overflow with huge PT_NOTE segment (swbz#20419) - resolv: Fully initialize struct mmsghdr in send_dg (swbz#23037) - manual: Various fixes to the mbstouwcs example, and mbrtowc update - getlogin_r: return early when linux sentinel value is set - resolv: Fix crash in resolver on memory allocation failure (swbz#23005) - Fix signed integer overflow in random_r (swbz#17343) - RISC-V: fix struct kernel_sigaction to match the kernel version (swbz#23069) * Fri May 11 2018 Florian Weimer fweimer@redhat.com - 2.27-12 - Unconditionally build downstream with -mstackrealign for now * Fri May 11 2018 Florian Weimer fweimer@redhat.com - 2.27-11 - Inherit compiler flags in the original order * Fri May 11 2018 Florian Weimer fweimer@redhat.com - 2.27-10 - Inherit the -mstackrealign flag if it is set * Fri May 11 2018 Florian Weimer fweimer@redhat.com - 2.27-9 - Use /usr/bin/python3 for benchmarks scripts (#1577223) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1653993 - CVE-2018-19591 glibc: file descriptor leak in if_nametoindex() in sysdeps/unix/sysv/linux/if_index.c https://bugzilla.redhat.com/show_bug.cgi?id=1653993 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-060302dc83' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
package-announce@lists.fedoraproject.org