This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: Updating NEWS for 2.26
On Sunday 30 July 2017 05:46 PM, Joseph Myers wrote:
> On Mon, 3 Jul 2017, Joseph Myers wrote:
>
>> The NEWS section for security-related changes in 2.26 seems very
>> incomplete, with only a single entry. It clearly needs to be filled out.
>> If people know of other significant changes missing from the main NEWS
>> section for 2.26, they should add those as well.
>
> Reminder: the security-related section is still almost empty. This needs
> to be fixed before the release.
This is what I've come up with based on bugzilla. I'll commit this
before release if it looks OK.
Siddhesh
diff --git a/NEWS b/NEWS
index ab0fb54..e068557 100644
--- a/NEWS
+++ b/NEWS
@@ -196,6 +196,13 @@ Security related changes:
* The DNS stub resolver limits the advertised UDP buffer size to 1200
bytes,
to avoid fragmentation-based spoofing attacks.
+* LD_LIBRARY_PATH is now ignored in binaries running in privileged
AT_SECURE
+ mode to guard against local privilege escalation attacks
(CVE-2017-1000366).
+
+* Avoid printing a backtrace from the __stack_chk_fail function since it is
+ called on a corrupt stack and a backtrace is unreliable on a corrupt
stack
+ (CVE-2010-3192).
+
The following bugs are resolved with this release:
[The release manager will add the list generated by