This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Updating NEWS for 2.26

On Sunday 30 July 2017 05:46 PM, Joseph Myers wrote:
> On Mon, 3 Jul 2017, Joseph Myers wrote:
> 
>> The NEWS section for security-related changes in 2.26 seems very 
>> incomplete, with only a single entry.  It clearly needs to be filled out.  
>> If people know of other significant changes missing from the main NEWS 
>> section for 2.26, they should add those as well.
> 
> Reminder: the security-related section is still almost empty.  This needs 
> to be fixed before the release.

This is what I've come up with based on bugzilla.  I'll commit this
before release if it looks OK.

Siddhesh


diff --git a/NEWS b/NEWS
index ab0fb54..e068557 100644
--- a/NEWS
+++ b/NEWS
@@ -196,6 +196,13 @@ Security related changes:
 * The DNS stub resolver limits the advertised UDP buffer size to 1200
bytes,
   to avoid fragmentation-based spoofing attacks.

+* LD_LIBRARY_PATH is now ignored in binaries running in privileged
AT_SECURE
+  mode to guard against local privilege escalation attacks
(CVE-2017-1000366).
+
+* Avoid printing a backtrace from the __stack_chk_fail function since it is
+  called on a corrupt stack and a backtrace is unreliable on a corrupt
stack
+  (CVE-2010-3192).
+
 The following bugs are resolved with this release:

   [The release manager will add the list generated by
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]