@@ -1,5 +1,5 @@
# Locally calculated (fetched from Github)
-sha256 d7d829f90f03e00d42d7d34ff7e972a59b14e2b70fa2e852893018349aafa5f7 glibc-2.36-118-g22955ad85186ee05834e47e665056148ca07699c.tar.gz
+sha256 30cdd65d82b6d53d4470e4bf89cab7c5cc1a8edaf8830358d8542e1c847e2d0b glibc-2.36-128-gb9b7d6a27aa0632f334352fa400771115b3c69b7.tar.gz
# Hashes for license files
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
@@ -7,7 +7,8 @@
# Generate version string using:
# git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
# When updating the version, please also update localedef
-GLIBC_VERSION = 2.36-118-g22955ad85186ee05834e47e665056148ca07699c
+GLIBC_VERSION = 2.36-128-gb9b7d6a27aa0632f334352fa400771115b3c69b7
+
# Upstream doesn't officially provide an https download link.
# There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
# sometimes the connection times out. So use an unofficial github mirror.
@@ -44,6 +45,18 @@ GLIBC_IGNORE_CVES += CVE-2023-4911
# 2.36 and the version we're really using.
GLIBC_IGNORE_CVES += CVE-2023-5156
+# Fixed by d1a83b6767f68b3cb5b4b4ea2617254acd040c82, which is between
+# 2.36 and the version we're really using.
+GLIBC_IGNORE_CVES += CVE-2023-6246
+
+# Fixed by 2bc9d7c002bdac38b5c2a3f11b78e309d7765b83, which is between
+# 2.36 and the version we're really using.
+GLIBC_IGNORE_CVES += CVE-2023-6779
+
+# Fixed by b9b7d6a27aa0632f334352fa400771115b3c69b7, which is between
+# 2.36 and the version we're really using.
+GLIBC_IGNORE_CVES += CVE-2023-6780
+
# All these CVEs are considered as not being security issues by
# upstream glibc:
# https://security-tracker.debian.org/tracker/CVE-2010-4756
@@ -7,7 +7,7 @@
# Use the same VERSION and SITE as target glibc
# As in glibc.mk, generate version string using:
# git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
-LOCALEDEF_VERSION = 2.36-118-g22955ad85186ee05834e47e665056148ca07699c
+LOCALEDEF_VERSION = 2.36-128-gb9b7d6a27aa0632f334352fa400771115b3c69b7
LOCALEDEF_SOURCE = glibc-$(LOCALEDEF_VERSION).tar.gz
LOCALEDEF_SITE = $(call github,bminor,glibc,$(LOCALEDEF_VERSION))
HOST_LOCALEDEF_DL_SUBDIR = glibc
Fixes the following security issues: CVE-2023-6246: syslog: Fix heap buffer overflow in __vsyslog_internal https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0001;hb=HEAD CVE-2023-6779: syslog: Heap buffer overflow in __vsyslog_internal https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0002;hb=HEAD CVE-2023-6780: syslog: Integer overflow in __vsyslog_internal https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0003;hb=HEAD For details, see the Qualys advisory: https://www.openwall.com/lists/oss-security/2024/01/30/6 Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/glibc/glibc.hash | 2 +- package/glibc/glibc.mk | 15 ++++++++++++++- package/localedef/localedef.mk | 2 +- 3 files changed, 16 insertions(+), 3 deletions(-)