control: clone -1 -2 control: retitle -1 glibc: CVE-2026-4437 control: retitle -2 glibc: CVE-2026-4438
Hi, On 2026-03-21 12:41, Salvatore Bonaccorso wrote: > Source: glibc > Version: 2.42-13 > Severity: important > Tags: security upstream > Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=34014 > https://sourceware.org/bugzilla/show_bug.cgi?id=3401 > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerabilities were published for glibc. > > CVE-2026-4437[0]: > | Calling gethostbyaddr or gethostbyaddr_r with a configured > | nsswitch.conf that specifies the library's DNS backend in the GNU C > | Library version 2.34 to version 2.43 could, with a crafted response > | from the configured DNS server, result in a violation of the DNS > | specification that causes the application to treat a non-answer > | section of the DNS response as a valid answer. > > > CVE-2026-4438[1]: > | Calling gethostbyaddr or gethostbyaddr_r with a configured > | nsswitch.conf that specifies the library's DNS backend in the GNU C > | library version 2.34 to version 2.43 could result in an invalid DNS > | hostname being returned to the caller in violation of the DNS > | specification. > > I made only one bug because the (original) patch[2] proposed upstream > covered both. At the end the patch got split in to parts, and currently only CVE-2026-4437 is fixed. Cloning the bug. Regards Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B [email protected] http://aurel32.net
