{"id":2231093,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2231093/?format=json","web_url":"http://patchwork.ozlabs.org/project/glibc/patch/3a2b6ed629ccc8bf33644220d58fe3bfc94da09f.1777546194.git.fweimer@redhat.com/","project":{"id":41,"url":"http://patchwork.ozlabs.org/api/1.2/projects/41/?format=json","name":"GNU C Library","link_name":"glibc","list_id":"libc-alpha.sourceware.org","list_email":"libc-alpha@sourceware.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<3a2b6ed629ccc8bf33644220d58fe3bfc94da09f.1777546194.git.fweimer@redhat.com>","list_archive_url":null,"date":"2026-04-30T10:51:58","name":"[1/5] Update GLIBC-SA-2026-0012 to mention A6 records","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"14087f83658db6c1317d60554f7679a5c8cc95c1","submitter":{"id":14312,"url":"http://patchwork.ozlabs.org/api/1.2/people/14312/?format=json","name":"Florian Weimer","email":"fweimer@redhat.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/glibc/patch/3a2b6ed629ccc8bf33644220d58fe3bfc94da09f.1777546194.git.fweimer@redhat.com/mbox/","series":[{"id":502273,"url":"http://patchwork.ozlabs.org/api/1.2/series/502273/?format=json","web_url":"http://patchwork.ozlabs.org/project/glibc/list/?series=502273","date":"2026-04-30T10:51:34","name":"Fixes for CVE-2026-5435, CVE-2026-6238","version":1,"mbox":"http://patchwork.ozlabs.org/series/502273/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231093/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2231093/checks/","tags":{},"related":[],"headers":{"Return-Path":"<libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org>","X-Original-To":["incoming@patchwork.ozlabs.org","libc-alpha@sourceware.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","libc-alpha@sourceware.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=YCGFr+bW;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org\n (client-ip=2620:52:6:3111::32; helo=vm01.sourceware.org;\n envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;\n receiver=patchwork.ozlabs.org)","sourceware.org;\n\tdkim=pass (1024-bit key,\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=YCGFr+bW","sourceware.org; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com","sourceware.org; spf=pass smtp.mailfrom=redhat.com","server2.sourceware.org;\n arc=none smtp.remote-ip=170.10.133.124"],"Received":["from vm01.sourceware.org (vm01.sourceware.org\n [IPv6:2620:52:6:3111::32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5rbf40rFz1yGq\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 20:52:30 +1000 (AEST)","from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id 7BA664310D7E\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 10:52:28 +0000 (GMT)","from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.133.124])\n by sourceware.org (Postfix) with ESMTP id 9A5BD436F7FD\n for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:03 +0000 (GMT)","from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-488-xZpkl2fnPfixqCqJ1oQNJg-1; Thu,\n 30 Apr 2026 06:52:02 -0400","from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id 325121800350\n for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:01 +0000 (UTC)","from fweimer-oldenburg.csb.redhat.com (unknown [10.44.48.4])\n by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with\n ESMTPS\n id 7BAFA300019F\n for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:00 +0000 (UTC)"],"DKIM-Filter":["OpenDKIM Filter v2.11.0 sourceware.org 7BA664310D7E","OpenDKIM Filter v2.11.0 sourceware.org 9A5BD436F7FD"],"DMARC-Filter":"OpenDMARC Filter v1.4.2 sourceware.org 9A5BD436F7FD","ARC-Filter":"OpenARC Filter v1.0.0 sourceware.org 9A5BD436F7FD","ARC-Seal":"i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1777546323; cv=none;\n b=Yef3LXf6Wnb7Vpt5KUDnHTvZA0eVF2brHx9MN5hehhidOH+EmOaqAAJt72L6vNFZT7ju5B/o7om1A/gI7uGtcQI9vqf8fYqKwWeTk/SlWLnwE+rZ49YPFe8duRWeXq6GrtquqZH+Lseru1VB7pM3GoN2et7i8X5rMD+bc/CfUZA=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=sourceware.org; s=key;\n t=1777546323; c=relaxed/simple;\n bh=JjWvppBx6PSx15cVvyDa3r366/EpfWW1tWU8xc3bpKs=;\n h=DKIM-Signature:From:To:Subject:Message-ID:Date:MIME-Version;\n b=ACOFK86VEWBECbus/0PDN4118kbfgteQDMjcwM+l3jCNdKVpoYEOYalqaJKXiA+g4RDiKCMbIp7liZMU0DsmdDPVakSPH0JXGQ0N/rgW8loE8E5ckwLXwS94vvY8ZMBJ/G37fJKHX5BELx456HlQ2eDfwYIJR+fY7r6oI9oQO8s=","ARC-Authentication-Results":"i=1; server2.sourceware.org","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1777546323;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:mime-version:mime-version:content-type:content-type:\n in-reply-to:in-reply-to:references:references;\n bh=mN64txNhqZPugORMmqrnPjd2KPkU4pSpmLEDoAQJgDE=;\n b=YCGFr+bW2fPuk/+c4pwHYsk1NsYNSjTIb3yRaKwOlIKgRq7Bqb+BsVvHze/JH6MnARfHHW\n KmiJw8hhEMJj60g82QuWXMhEczMY0/KlMShfAbVN/pKKonx78T7l94BEnRqFnMiMchoyIC\n fR91fcXyBZocGVH0fbTqtTq1JOL6vLI=","X-MC-Unique":"xZpkl2fnPfixqCqJ1oQNJg-1","X-Mimecast-MFC-AGG-ID":"xZpkl2fnPfixqCqJ1oQNJg_1777546321","From":"Florian Weimer <fweimer@redhat.com>","To":"libc-alpha@sourceware.org","Subject":"[PATCH 1/5] Update GLIBC-SA-2026-0012 to mention A6 records","In-Reply-To":"<cover.1777546194.git.fweimer@redhat.com>","Message-ID":"\n <3a2b6ed629ccc8bf33644220d58fe3bfc94da09f.1777546194.git.fweimer@redhat.com>","References":"<cover.1777546194.git.fweimer@redhat.com>","X-From-Line":"3a2b6ed629ccc8bf33644220d58fe3bfc94da09f Mon Sep 17 00:00:00 2001","Date":"Thu, 30 Apr 2026 12:51:58 +0200","User-Agent":"Gnus/5.13 (Gnus v5.13)","MIME-Version":"1.0","X-Scanned-By":"MIMEDefang 3.4.1 on 10.30.177.4","X-Mimecast-Spam-Score":"0","X-Mimecast-MFC-PROC-ID":"PTp5OC-p7altvGb8NUxIrBvQbfThJi0UDgr1X4ez5P4_1777546321","X-Mimecast-Originator":"redhat.com","Content-Type":"text/plain","X-BeenThere":"libc-alpha@sourceware.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Libc-alpha mailing list <libc-alpha.sourceware.org>","List-Unsubscribe":"<https://sourceware.org/mailman/options/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>","List-Archive":"<https://sourceware.org/pipermail/libc-alpha/>","List-Post":"<mailto:libc-alpha@sourceware.org>","List-Help":"<mailto:libc-alpha-request@sourceware.org?subject=help>","List-Subscribe":"<https://sourceware.org/mailman/listinfo/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=subscribe>","Errors-To":"libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org"},"content":"It turns out there is a missing inner length check in it, too.\n\nAlso fix the vulnerable commit.  It predates the glibc 2.0 release\nbecause the old stream-based formatting code in resolv/res_debug.c had\nthe same bug in its LOC handling.\n---\n advisories/GLIBC-SA-2026-0012 | 4 ++--\n 1 file changed, 2 insertions(+), 2 deletions(-)","diff":"diff --git a/advisories/GLIBC-SA-2026-0012 b/advisories/GLIBC-SA-2026-0012\nindex 6f8f00ddd7..926ca16102 100644\n--- a/advisories/GLIBC-SA-2026-0012\n+++ b/advisories/GLIBC-SA-2026-0012\n@@ -2,7 +2,7 @@ Buffer overread in ns_printrrf with corrupted RDATA field\n \n The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the\n GNU C Library version 2.2 and newer fail to validate the RDATA content\n-against the RDATA length in a DNS response when processing LOC, CERT,\n+against the RDATA length in a DNS response when processing A6, CERT, LOC,\n TKEY or TSIG records, which may allow an attacker to craft a DNS\n response, causing a target application to crash or read uninitialized\n memory.\n@@ -15,4 +15,4 @@ interfaces since they may be removed in future versions.\n \n CVE-Id: CVE-2026-6238\n Public-Date: 2026-04-11\n-Vulnerable-Commit: b43b13ac2544b11f35be301d1589b51a8473e32b (2.2)\n+Vulnerable-Commit: ee188d555b8c32ad9704a7440cab400af967292f (1.90)\n","prefixes":["1/5"]}