Bug#945250: marked as done (glibc: CVE-2019-19126)
Your message dated Sun, 05 Jan 2020 12:35:10 +0000
with message-id <E1io57e-0008OU-BJ@fasolo.debian.org>
and subject line Bug#945250: fixed in glibc 2.29-8
has caused the Debian Bug report #945250,
regarding glibc: CVE-2019-19126
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
945250: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945250
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: glibc: CVE-2019-19126
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Thu, 21 Nov 2019 22:38:12 +0100
- Message-id: <157437229218.767558.8195729074029024593.reportbug@eldamar.local>
Source: glibc
Version: 2.29-3
Severity: important
Tags: security upstream
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=25204
Control: found -1 2.28-10
Control: found -1 2.24-11+deb9u1
Control: found -1 2.24-11+deb9u4
Control: found -1 2.24-11
Hi,
The following vulnerability was published for glibc, filling this bug
mainly for tracking purpose, it was reported upstream at [1].
CVE-2019-19126[0]:
| On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31
| fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable
| during program execution after a security transition, allowing local
| attackers to restrict the possible mapping addresses for loaded
| libraries and thus bypass ASLR for a setuid program.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-19126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19126
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=25204
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: glibc
Source-Version: 2.29-8
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 945250@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 Jan 2020 13:03:42 +0100
Source: glibc
Architecture: source
Version: 2.29-8
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Closes: 945250
Changes:
glibc (2.29-8) unstable; urgency=medium
.
[ Samuel Thibault ]
* patches/hurd-i386/posix_openpt.diff: Add posix_openpt support.
* patches/hurd-i386/git-errno_location.diff: Fix pthread link of protobuf.
.
[ Aurelien Jarno ]
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fixes ASLR bypass for setuid programs (CVE-2019-19126). Closes: #945250.
- debian/patches/any/git-socket-constants.diff: upstreamed.
Checksums-Sha1:
3f9b60ae1c228735164969d1c81f225f09105383 8735 glibc_2.29-8.dsc
b929625d79179486964f6d120ca2103215807dbe 868036 glibc_2.29-8.debian.tar.xz
95f5213729012843de23763ba186f50b006bf2aa 7463 glibc_2.29-8_source.buildinfo
Checksums-Sha256:
ef791b97a655153470a2326cf4746bf24ba885d055e66f5b148c7f974e3b412b 8735 glibc_2.29-8.dsc
74a9536b0e06d18771b2203caeff9501209ad0e4d8fd1b40a9350aa54b57621e 868036 glibc_2.29-8.debian.tar.xz
97c5b02516f1baf128df4cda4bd347227a83b5f4031588994bc048de43a120b5 7463 glibc_2.29-8_source.buildinfo
Files:
f3e97fa43c8b01a9936de4ce210d0d9f 8735 libs required glibc_2.29-8.dsc
30b84e883fb26aca0860ec334b9216b2 868036 libs required glibc_2.29-8.debian.tar.xz
004370dff6f7a22546b3b438f58075bb 7463 libs required glibc_2.29-8_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAl4R0okACgkQE4jA+Jno
M2sCXBAAihEvy/r0Nb4f+9F87Lysr1GA1znad8Eb6HtSMmjvdrJuxJJatzHHKL1U
j9l4MfXEvKaxYbnsSWnlHTCVyleTJm9wlcACnLrXDvhS6vwUeiT6klhp4si42Urx
SpBAATSMstnZk7tYHbnwzhuN57v1HtwZtCIYHrq23Pu1N4y2NQBppaw/ihQB1idA
2mzM1t1mVRD1jKnOYnwJtbn5JX6B0UA5FSNLGldAH3zz8b9nn9swBcpwmtLg/rYd
iDyX/vGBySxeoJuo5KxdkEhR7FvKEAOlcUmZ8E3muukjLvYrKuZ81u6GNZ7hLv3r
XuOa3hlDD5Se4RuTwDJQKtgkOwGQsX474DiiKmGYKn7sLXKcUGP9+j4Y70aEZiNl
bMwtPwl6Gnb4RzSZuoeW/M5QRMfgMKAkoJ/bsus7x4SCLLTqQyS1UlRuwI++w31w
cChXoPNqg3ux6kEHdNT2UDBcVPofeU2h+ZYZNSCYxaX8fX8piNwmkTehp1YpHStb
tkrgjk/JUe82ngGyN3rIj2TNKAHnAymV0+ritRHWyWluW2BerE/g1V/oXB6V8VMA
bu4cmeLIm+BXwFrKqyOCdGIZCIK3aoKnqdU5jRJ7VsCfbXRLvx/Ab9+KK6f43DVe
k7gKhv0jNvwuHS8BwNd8WnhhXUMZyBgy/m9cJ+PN7uE0sCzmHS4=
=7ylT
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: