--------------------------------------------------------------------------------Fedora Update Notification FEDORA-2020-1a3bdfde17 2020-01-20 22:48:10.259348 --------------------------------------------------------------------------------Name : glibc Product : Fedora 31 Version : 2.30 Release : 10.fc31 URL : http://www.gnu.org/software/glibc/ Summary : The GNU libc libraries Description : The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. --------------------------------------------------------------------------------Update Information: This update fixes a minor security vulnerability ([`LD_PREFER_MAP_32BIT_EXEC` not ignored in setuid binaries](https://bugzilla.redhat.com/show_bug.cgi?id=1774682) and addresses are long-standing bug where missing shared objects could cause crashes due to incorrectly handled `dlopen` failures (RHBZ#1395758). The latter fix also causes lazy binding failures in ELF constructors and destructors to result in process termination (the same effect that lazy binding failures have in other contexts), rather than leaving the process in an inconsistent state. Furthermore, various issues in the `utmp`/`utmpx` subsystem have been addressed. This update also includes various minor fixes from the glibc 2.30 upstream stable release branch. --------------------------------------------------------------------------------ChangeLog: * Fri Jan 17 2020 Florian Weimer - 2.30-10 - Fix dynamic loader crash after dlopen failure with NODELETE (#1395758) - Lazy binding failures during ELF constructors and destructors now always terminate the process. * Fri Jan 17 2020 Florian Weimer - 2.30-9 - Auto-sync with upstream branch release/2.30/master, commit 994e529a37953a057b9e6c80afa03b03fd3724f2: - Remove incorrect alloc_size attribute from pvalloc (swbz#25401) - login: Use pread64 in utmp implementation - Add nocancel version of pread64() - login: Introduce matches_last_entry to utmp processing - login: Acquire write lock early in pututline (swbz#24882) - login: Add nonstring attributes to struct utmp, struct utmpx (swbz#24899) - login: Remove double-assignment of fl.l_whence in try_file_lock - login: pututxline could fail to overwrite existing entries (swbz#24902) - login: Use struct flock64 in utmp (swbz#24880) - login: Disarm timer after utmp lock acquisition (swbz#24879) - login: Fix updwtmp, updwtmx unlocking - login: Replace macro-based control flow with function calls in utmp - login: Assume that _HAVE_UT_* constants are true - login: Remove utmp backend jump tables (swbz#23518) - misc/test-errno-linux: Handle EINVAL from quotactl - : Define __CORRECT_ISO_CPP_STRING_H_PROTO for Clang (swbz#25232) - x86: Assume --enable-cet if GCC defaults to CET (swbz#25225) - libio: Disable vtable validation for pre-2.1 interposed handles (swbz#25203) - S390: Fix handling of needles crossing a page in strstr z15 ifunc-variant. (swbz#25226) - rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) (#1774682) - Don't use a custom wrapper macro around __has_include (swbz#25189) * Wed Dec 4 2019 Arjun Shankar - 2.30-8 - Rebuild to fix corrupt annobin data in crti.o and crtn.o [BZ# 1779399] * Tue Nov 19 2019 Arjun Shankar - 2.30-7 - Auto-sync with upstream branch release/2.30/master, commit 919af705eef416f4469341dfdf4ca23450f30236: - Update Alpha libm-test-ulps - hppa: Update libm-tests-ulps - alpha: force old OSF1 syscalls for getegid, geteuid and getppid [BZ #24986] - Fix RISC-V vfork build with Linux 5.3 kernel headers. - S390: Add new s390 platform z15. - Make tst-strftime2 and tst-strftime3 depend on locale generation - mips: Force RWX stack for hard-float builds that can run on pre-4.8 kernels - malloc: Fix missing accounting of top chunk in malloc_info [BZ #24026] - Add glibc.malloc.mxfast tunable - malloc: Various cleanups for malloc/tst-mxfast - Base max_fast on alignment, not width, of bins (Bug 24903) * Mon Sep 30 2019 Florian Weimer - 2.30-6 - Set the expects flags to clock_nanosleep (#1473680) --------------------------------------------------------------------------------References: [ 1 ] Bug #1395758 - glibc: incomplete rollback of dynamic linker state on linking failure https://bugzilla.redhat.com/show_bug.cgi?id=1395758 [ 2 ] Bug #1774682 - CVE-2019-19126 glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1774682 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-1a3bdfde17' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Fedora 31: glibc FEDORA-2020-1a3bdfde17

January 20, 2020

This update fixes a minor security vulnerability ([`LD_PREFER_MAP_32BIT_EXEC` not ignored in setuid binaries](https://bugzilla.redhat.com/show_bug.cgi?id=1774682) and addresses are...

Summary

The glibc package contains standard libraries which are used by

multiple programs on the system. In order to save disk space and

memory, as well as to make upgrading easier, common system code is

kept in one place and shared between programs. This particular package

contains the most important sets of shared libraries: the standard C

library and the standard math library. Without these two libraries, a

Linux system will not function.

This update fixes a minor security vulnerability ([`LD_PREFER_MAP_32BIT_EXEC`

not ignored in setuid

binaries](https://bugzilla.redhat.com/show_bug.cgi?id=1774682) and addresses are

long-standing bug where missing shared objects could cause crashes due to

incorrectly handled `dlopen` failures (RHBZ#1395758). The latter fix also causes

lazy binding failures in ELF constructors and destructors to result in process

termination (the same effect that lazy binding failures have in other contexts),

rather than leaving the process in an inconsistent state. Furthermore, various

issues in the `utmp`/`utmpx` subsystem have been addressed. This update also

includes various minor fixes from the glibc 2.30 upstream stable release branch.

* Fri Jan 17 2020 Florian Weimer - 2.30-10

- Fix dynamic loader crash after dlopen failure with NODELETE (#1395758)

- Lazy binding failures during ELF constructors and destructors now always

terminate the process.

* Fri Jan 17 2020 Florian Weimer - 2.30-9

- Auto-sync with upstream branch release/2.30/master,

commit 994e529a37953a057b9e6c80afa03b03fd3724f2:

- Remove incorrect alloc_size attribute from pvalloc (swbz#25401)

- login: Use pread64 in utmp implementation

- Add nocancel version of pread64()

- login: Introduce matches_last_entry to utmp processing

- login: Acquire write lock early in pututline (swbz#24882)

- login: Add nonstring attributes to struct utmp, struct utmpx (swbz#24899)

- login: Remove double-assignment of fl.l_whence in try_file_lock

- login: pututxline could fail to overwrite existing entries (swbz#24902)

- login: Use struct flock64 in utmp (swbz#24880)

- login: Disarm timer after utmp lock acquisition (swbz#24879)

- login: Fix updwtmp, updwtmx unlocking

- login: Replace macro-based control flow with function calls in utmp

- login: Assume that _HAVE_UT_* constants are true

- login: Remove utmp backend jump tables (swbz#23518)

- misc/test-errno-linux: Handle EINVAL from quotactl

- : Define __CORRECT_ISO_CPP_STRING_H_PROTO for Clang (swbz#25232)

- x86: Assume --enable-cet if GCC defaults to CET (swbz#25225)

- libio: Disable vtable validation for pre-2.1 interposed handles (swbz#25203)

- S390: Fix handling of needles crossing a page in strstr z15 ifunc-variant. (swbz#25226)

- rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC

(CVE-2019-19126) (#1774682)

- Don't use a custom wrapper macro around __has_include (swbz#25189)

* Wed Dec 4 2019 Arjun Shankar - 2.30-8

- Rebuild to fix corrupt annobin data in crti.o and crtn.o [BZ# 1779399]

* Tue Nov 19 2019 Arjun Shankar - 2.30-7

- Auto-sync with upstream branch release/2.30/master,

commit 919af705eef416f4469341dfdf4ca23450f30236:

- Update Alpha libm-test-ulps

- hppa: Update libm-tests-ulps

- alpha: force old OSF1 syscalls for getegid, geteuid and getppid [BZ #24986]

- Fix RISC-V vfork build with Linux 5.3 kernel headers.

- S390: Add new s390 platform z15.

- Make tst-strftime2 and tst-strftime3 depend on locale generation

- mips: Force RWX stack for hard-float builds that can run on pre-4.8 kernels

- malloc: Fix missing accounting of top chunk in malloc_info [BZ #24026]

- Add glibc.malloc.mxfast tunable

- malloc: Various cleanups for malloc/tst-mxfast

- Base max_fast on alignment, not width, of bins (Bug 24903)

* Mon Sep 30 2019 Florian Weimer - 2.30-6

- Set the expects flags to clock_nanosleep (#1473680)

[ 1 ] Bug #1395758 - glibc: incomplete rollback of dynamic linker state on linking failure

https://bugzilla.redhat.com/show_bug.cgi?id=1395758

[ 2 ] Bug #1774682 - CVE-2019-19126 glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1774682

su -c 'dnf upgrade --advisory FEDORA-2020-1a3bdfde17' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

FEDORA-2020-1a3bdfde17 2020-01-20 22:48:10.259348 Product : Fedora 31 Version : 2.30 Release : 10.fc31 URL : http://www.gnu.org/software/glibc/ Summary : The GNU libc libraries Description : The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs. This particular package contains the most important sets of shared libraries: the standard C library and the standard math library. Without these two libraries, a Linux system will not function. This update fixes a minor security vulnerability ([`LD_PREFER_MAP_32BIT_EXEC` not ignored in setuid binaries](https://bugzilla.redhat.com/show_bug.cgi?id=1774682) and addresses are long-standing bug where missing shared objects could cause crashes due to incorrectly handled `dlopen` failures (RHBZ#1395758). The latter fix also causes lazy binding failures in ELF constructors and destructors to result in process termination (the same effect that lazy binding failures have in other contexts), rather than leaving the process in an inconsistent state. Furthermore, various issues in the `utmp`/`utmpx` subsystem have been addressed. This update also includes various minor fixes from the glibc 2.30 upstream stable release branch. * Fri Jan 17 2020 Florian Weimer - 2.30-10 - Fix dynamic loader crash after dlopen failure with NODELETE (#1395758) - Lazy binding failures during ELF constructors and destructors now always terminate the process. * Fri Jan 17 2020 Florian Weimer - 2.30-9 - Auto-sync with upstream branch release/2.30/master, commit 994e529a37953a057b9e6c80afa03b03fd3724f2: - Remove incorrect alloc_size attribute from pvalloc (swbz#25401) - login: Use pread64 in utmp implementation - Add nocancel version of pread64() - login: Introduce matches_last_entry to utmp processing - login: Acquire write lock early in pututline (swbz#24882) - login: Add nonstring attributes to struct utmp, struct utmpx (swbz#24899) - login: Remove double-assignment of fl.l_whence in try_file_lock - login: pututxline could fail to overwrite existing entries (swbz#24902) - login: Use struct flock64 in utmp (swbz#24880) - login: Disarm timer after utmp lock acquisition (swbz#24879) - login: Fix updwtmp, updwtmx unlocking - login: Replace macro-based control flow with function calls in utmp - login: Assume that _HAVE_UT_* constants are true - login: Remove utmp backend jump tables (swbz#23518) - misc/test-errno-linux: Handle EINVAL from quotactl - : Define __CORRECT_ISO_CPP_STRING_H_PROTO for Clang (swbz#25232) - x86: Assume --enable-cet if GCC defaults to CET (swbz#25225) - libio: Disable vtable validation for pre-2.1 interposed handles (swbz#25203) - S390: Fix handling of needles crossing a page in strstr z15 ifunc-variant. (swbz#25226) - rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) (#1774682) - Don't use a custom wrapper macro around __has_include (swbz#25189) * Wed Dec 4 2019 Arjun Shankar - 2.30-8 - Rebuild to fix corrupt annobin data in crti.o and crtn.o [BZ# 1779399] * Tue Nov 19 2019 Arjun Shankar - 2.30-7 - Auto-sync with upstream branch release/2.30/master, commit 919af705eef416f4469341dfdf4ca23450f30236: - Update Alpha libm-test-ulps - hppa: Update libm-tests-ulps - alpha: force old OSF1 syscalls for getegid, geteuid and getppid [BZ #24986] - Fix RISC-V vfork build with Linux 5.3 kernel headers. - S390: Add new s390 platform z15. - Make tst-strftime2 and tst-strftime3 depend on locale generation - mips: Force RWX stack for hard-float builds that can run on pre-4.8 kernels - malloc: Fix missing accounting of top chunk in malloc_info [BZ #24026] - Add glibc.malloc.mxfast tunable - malloc: Various cleanups for malloc/tst-mxfast - Base max_fast on alignment, not width, of bins (Bug 24903) * Mon Sep 30 2019 Florian Weimer - 2.30-6 - Set the expects flags to clock_nanosleep (#1473680) [ 1 ] Bug #1395758 - glibc: incomplete rollback of dynamic linker state on linking failure https://bugzilla.redhat.com/show_bug.cgi?id=1395758 [ 2 ] Bug #1774682 - CVE-2019-19126 glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1774682 su -c 'dnf upgrade --advisory FEDORA-2020-1a3bdfde17' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/