diff mbox

Add security bugs to NEWS

Message ID 56A000F8.4030507@redhat.com
State New
Headers show

Commit Message

Florian Weimer Jan. 20, 2016, 9:49 p.m. UTC
This patch adds the recent CVE assignments to the NEWS file.

Florian

Comments

Joseph Myers Feb. 17, 2016, 5:18 p.m. UTC | #1
On Wed, 20 Jan 2016, Florian Weimer wrote:

> This patch adds the recent CVE assignments to the NEWS file.

What happened to this patch - why hasn't it been committed?  We're very 
close to the release now, and this is a release blocker.
Florian Weimer Feb. 17, 2016, 5:23 p.m. UTC | #2
On 02/17/2016 06:18 PM, Joseph Myers wrote:
> On Wed, 20 Jan 2016, Florian Weimer wrote:
> 
>> This patch adds the recent CVE assignments to the NEWS file.
> 
> What happened to this patch - why hasn't it been committed?  We're very 
> close to the release now, and this is a release blocker.

I'm just following the rule that all patches during the hard freeze have
to be approved by the release manager.

Florian
Joseph Myers Feb. 17, 2016, 5:27 p.m. UTC | #3
On Wed, 17 Feb 2016, Florian Weimer wrote:

> On 02/17/2016 06:18 PM, Joseph Myers wrote:
> > On Wed, 20 Jan 2016, Florian Weimer wrote:
> > 
> >> This patch adds the recent CVE assignments to the NEWS file.
> > 
> > What happened to this patch - why hasn't it been committed?  We're very 
> > close to the release now, and this is a release blocker.
> 
> I'm just following the rule that all patches during the hard freeze have
> to be approved by the release manager.

I don't think that should apply to NEWS updates.

More generally, has anyone reviewed the changes since 2.22 for any 
significant non-bug-fix changes that ought to have NEWS entries but don't?
Adhemerval Zanella Netto Feb. 17, 2016, 5:47 p.m. UTC | #4
On 17-02-2016 15:27, Joseph Myers wrote:
> On Wed, 17 Feb 2016, Florian Weimer wrote:
> 
>> On 02/17/2016 06:18 PM, Joseph Myers wrote:
>>> On Wed, 20 Jan 2016, Florian Weimer wrote:
>>>
>>>> This patch adds the recent CVE assignments to the NEWS file.
>>>
>>> What happened to this patch - why hasn't it been committed?  We're very 
>>> close to the release now, and this is a release blocker.
>>
>> I'm just following the rule that all patches during the hard freeze have
>> to be approved by the release manager.
> 
> I don't think that should apply to NEWS updates.

This is also my understanding since the patches itself is upstream
(although some wording/spelling corrections may apply).

> 
> More generally, has anyone reviewed the changes since 2.22 for any 
> significant non-bug-fix changes that ought to have NEWS entries but don't?
> 

Good question, I will check this out.
diff mbox

Patch

diff --git a/NEWS b/NEWS
index 93c09be..9158bfe 100644
--- a/NEWS
+++ b/NEWS
@@ -47,9 +47,6 @@  Version 2.23
   tzselect).  This is useful for people who build the timezone data and code
   independent of the GNU C Library.
 
-* The LD_POINTER_GUARD environment variable can no longer be used to
-  disable the pointer guard feature.  It is always enabled.
-
 * The obsolete header <regexp.h> has been removed.  Programs that require
   this header must be updated to use <regex.h> instead.
 
@@ -75,9 +72,24 @@  Version 2.23
 
 Security related changes:
 
+* An out-of-bounds value in a broken-out struct tm argument to strftime no
+  longer causes a crash.  Reported by Adam Nielsen.  (CVE-2015-8776)
+
+* The LD_POINTER_GUARD environment variable can no longer be used to disable
+  the pointer guard feature.  It is always enabled.  Previously,
+  LD_POINTER_GUARD could be used to disable security hardening in binaries
+  running in privileged AT_SECURE mode.  Reported by Hector Marco-Gisbert.
+  (CVE-2015-8777)
+
+* An integer overflow in hcreate and hcreate_r could lead to an
+  out-of-bounds memory access.  Reported by Szabolcs Nagy.  (CVE-2015-8778)
+
+* The catopen function no longer has unbounded stack usage.  Reported by
+  Max.  (CVE-2015-8779)
+
 * The nan, nanf and nanl functions no longer have unbounded stack usage
   depending on the length of the string passed as an argument to the
-  functions.  Reported by Joseph Myers.
+  functions.  Reported by Joseph Myers.  (CVE-2014-9761)
 
 * The following bugs are resolved with this release: