Hi, I've prepared a LTS update for glibc and seek people testing it. Builds for amd64 and armfh as well as a .debdiff are available from http://subdivi.de/~helmut/glibc_lts.
I plan to fix no less than 14 CVEs. Those mostly fall into one of the following categories: * 4 * iconv * 2 * unix sockets * setuid environment filtering * getcwd * glob * memcpy on armhf * mq_notify * sinl * wordexp * nscd Please refer to debian/changelog and the respective patches for details. If you happen to have applications covering any of these, feedback is welcome. Beware that this update changes two private glibc symbols for fixing CVE-2016-10228. These symbols are used for testing the change via iconv_prog, which happens to not be installed into a binary package. I've not located any uses in any other glibc library. As a result, I believe that these symbol changes to be harmless even though Aurelien Jarno cautioned about it. My judgement is partially confirmed by RedHat and Canonical shipping these symbol changes in their security updates. On the flip side, I'm observing a number of unexpected references to one symbol that did change prototype, see https://codesearch.debian.net/search?q=__gconv_open&literal=1. Most of these uses are broken since bullseye, so I hope that they're all dead code. More eyeballs appreciated. You see this is glibc, so I'd rather give it more testing than brick user systems. Please Cc me in replies. Helmut
