Be careful about rushing out fixes. We are observing regressions in software triggered by changes in glibc behaviour.
--- Regards, Darcy Darcy Watkins Staff Engineer, Firmware Sierra Wireless http://sierrawireless.com [M3] > On Feb 24, 2016, at 8:57 AM, akuster808 <akuster...@gmail.com> wrote: > > > >> On 02/24/2016 08:38 AM, Mark Hatle wrote: >>> On 2/23/16 6:14 PM, akuster808 wrote: >>> >>> >>>> On 02/23/2016 02:52 PM, Darcy Watkins wrote: >>>>> On Tue, 2016-02-23 at 13:51 -0800, Mark Hatle wrote: >>>>>> On 2/23/16 1:53 PM, Khem Raj wrote: >>>>>> On Tue, Feb 23, 2016 at 2:25 PM, Darcy Watkins >>>>>>> CVE-2015-7547 glibc vulnerability has been published as affecting glibc >>>>>>> since ver 2.9 (fixed in 2.23 and patched in 2.22 and 2.21). >>>>>>> >>>>>>> Anyone know if we need the same security fixes in eglibc? >>>>>> >>>>>> yes you do. Eglibc was nothing but glibc+few fixes. >>>>> >>>>> Yes this affects all eglibc version 2.9 and newer up to glibc 2.23. >>>>> >>>>> As far as I'm aware, this affects all Yocto Project versions up to 2.0. >>>> >>>> I will be interested in knowing which Yocto Project versions will >>>> receive the fixes. >>> >>> Master, 2.0 and 1.8 all have the fixes. >>> How far back do we go in matters like this? >> >> Official support is current (in development) and the last two releases. So >> up >> to about a year and a half of support. >> >> After this point, it becomes community support. This really means, if >> someone >> in the community wants to continue support past the YP's support guidelines >> they >> are welcome to do so -- but there won't be any official releases, only >> checkins >> to the repository. > > much better explanation than mine. > > thanks, > Armin >> >> We have done this on some OpenSSL fixes in the past, but it was based on >> specific requests and people submitting the fixes to be included with older >> versions. >> >>> 1.7 (dizzy) I plan on doing soon. beyond that I do not know. those are >>> all community supported. >>> >>> - armin >>>> >>>> Thanks in advance! >>>> >>>>> (The patch referenced by the security announcement applies to all of the >>>>> versions of glibc I've needed to apply it to for my customers. A few >>>>> per-line >>>>> tweaks might be necessary, but it was fairly easy.) > -- > _______________________________________________ > yocto mailing list > yocto@yoctoproject.org > https://lists.yoctoproject.org/listinfo/yocto -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
