Source: glibc Version: 2.42-13 Severity: important Tags: security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=34014 https://sourceware.org/bugzilla/show_bug.cgi?id=3401 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for glibc. CVE-2026-4437[0]: | Calling gethostbyaddr or gethostbyaddr_r with a configured | nsswitch.conf that specifies the library's DNS backend in the GNU C | Library version 2.34 to version 2.43 could, with a crafted response | from the configured DNS server, result in a violation of the DNS | specification that causes the application to treat a non-answer | section of the DNS response as a valid answer. CVE-2026-4438[1]: | Calling gethostbyaddr or gethostbyaddr_r with a configured | nsswitch.conf that specifies the library's DNS backend in the GNU C | library version 2.34 to version 2.43 could result in an invalid DNS | hostname being returned to the caller in violation of the DNS | specification. I made only one bug because the (original) patch[2] proposed upstream covered both. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-4437 https://www.cve.org/CVERecord?id=CVE-2026-4437 [1] https://security-tracker.debian.org/tracker/CVE-2026-4438 https://www.cve.org/CVERecord?id=CVE-2026-4438 [2] https://inbox.sourceware.org/libc-alpha/[email protected]/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
