Ahh I was looking in the wrong place - glibc-sources shows the fix in 2.36-9+deb12u1:
glibc (2.36-9+deb12u1) bookworm; urgency=medium
[ Aurelien Jarno ]
* debian/patches/git-updates.diff: update from upstream stable branch:
- Affecting bookworm release architectures:
- Improve mcount overflow handling in gmon.
- Fix a buffer overflow in gmon (CVE-2023-0687).
- Fix a memory corruption when incorrectly calling gmon functions
repeatedly on in wrong order.
- Fix a deadlock in getaddrinfo (__check_pf) with deferred cancellation.
- Fix y2038 support in strftime on 32-bit architectures.
- Fix corner case parsing of /etc/gshadow which can return bad pointers
causing segfaults in applications.
- Fix a deadlock in system() when called concurrently from multiple
threads.
- cdefs: limit definition of fortification macros to __FORTIFY_LEVEL > 0
to support old C90 compilers.
- Not affecting bookworm release architectures:
- Fix LFS POSIX lock constants for powerpc64.
- Fix GL(dl_phdr) and GL(dl_phnum) for static builds. Closes: #1028200.
- Not affecting debian architectures:
- Fix LFS POSIX lock constants on 32 bit arch with 64 bit default
time_t.
- No change in the generated code:
- Fix asm constraints in amd64 version of feraiseexcept (bug not visible
with GCC 12).
So I guess we just need a rebuild of the later glibc for the alpha cross compiler?