Security issues fixed upstream in glibc have been announced today (January 24): https://www.openwall.com/lists/oss-security/2022/01/24/4 Upstream commits that fixed the issues are linked in the message above. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
sigh, of course going public with new issues one day after we just released an update..
Cauldron fixed in glibc-2.34-24.mga9
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
CVE-2021-3998 does not affect mga8 as the affected code came in later: git describe --contains c6e0b0b5b0b7922cdf0dce2af671e0c7e500df95 glibc-2.33~87 CVE-2021-3999 fixed in glibc-2.32-24.mga8 currently building
Fedora has issued an advisory for this today (February 3): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/P4R5YTUHS7OZ4HZCUKF6SRVXGDHSZAOF/
Ready to assign to QA? Installed it jan 26. No issues noted.
CC: (none) => fri
Nope, I'm looking at more fixes that has landed upstream...
I'll write up the advisory later, here are the rpms SRPM: glibc-2.32-25.mga8.src.rpm i586: glibc-2.32-25.mga8.i586.rpm glibc-devel-2.32-25.mga8.i586.rpm glibc-doc-2.32-25.mga8.noarch.rpm glibc-i18ndata-2.32-25.mga8.i586.rpm glibc-profile-2.32-25.mga8.i586.rpm glibc-static-devel-2.32-25.mga8.i586.rpm glibc-utils-2.32-25.mga8.i586.rpm nscd-2.32-25.mga8.i586.rpm x86_64: glibc-2.32-25.mga8.x86_64.rpm glibc-devel-2.32-25.mga8.x86_64.rpm glibc-doc-2.32-25.mga8.noarch.rpm glibc-i18ndata-2.32-25.mga8.x86_64.rpm glibc-profile-2.32-25.mga8.x86_64.rpm glibc-static-devel-2.32-25.mga8.x86_64.rpm glibc-utils-2.32-25.mga8.x86_64.rpm nscd-2.32-25.mga8.x86_64.rpm
Assignee: tmb => qa-bugs
5.15.18-desktop-2.mga8 x86_64 Updated the eight packages and rebooted. /etc/nscd.conf looks alright to the untrained eye. The desktop continues to function normally. $ urpmq -i glibc-utils ..... The glibc-utils package contains memusage, a memory usage profiler, mtrace, a memory leak tracer and xtrace, a function call tracer which can be helpful during program debugging. $ cat test-posix-memalign.c #include <stdlib.h> #include <stdint.h> int main(int argc, char **argv) { void *p; return posix_memalign(&p, 0x10, SIZE_MAX - 0x20); } $ mtrace test-posix-memalign No memory leaks. Tried a local build of celestia as in bug 26309 but hit problems at the bm stage even after running `sudo urpmi --buildrequires SPECS/celestia.spec` so gave up on that. Some 14K other applications and libraries require glibc so we shall leave it at that. It is OK but others may wish to test it further.
CC: (none) => tarazed25
The priority of the update and the warning to restart the system are enough to indicate Mageia's fundamental reliance on glibc. It's used practically everywhere. Tested on a MGA8-64 Plasma desktop system with an i5-2500, Intel graphics, and a wired Internet connection. Also tested with a MGA8-32 Xfce system on a Dell Inspiron 5100, with a P4, Radeon RV200 graphics, and an aging Atheros-based wifi connection. No installation issues for either system. After the reboot, tried this and that, including removing some stale kernels with rpmdrake, Firefox, VLC on 64-bit and Parole on 32-bit, Thunderbird on 64-bit. No issues noted. This looks OK to me on both x86_64 and i586 real hardware.
CC: (none) => andrewsfarm
So this should go out for both architectures based on comment 9.
Whiteboard: (none) => MGA8-64-OK MGA8-32-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0052.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED