[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1125678: marked as done (glibc: CVE-2026-0861)

Your message dated Fri, 16 Jan 2026 22:04:57 +0000
with message-id <E1vgrw9-0000000HMUb-1pGh@fasolo.debian.org>
and subject line Bug#1125678: fixed in glibc 2.42-8
has caused the Debian Bug report #1125678,
regarding glibc: CVE-2026-0861
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1125678: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125678
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: glibc
Version: 2.42-7
Severity: important
Tags: security upstream
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=33796
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.41-12+deb13u1
Control: found -1 2.36-9+deb12u7
Control: found -1 2.36-9+deb12u13

Hi,

The following vulnerability was published for glibc.

CVE-2026-0861[0]:
| Passing too large an alignment to the memalign suite of functions
| (memalign, posix_memalign, aligned_alloc, valloc, pvalloc) in the
| GNU C Library version 2.30 to 2.42 may result in an integer
| overflow, which could consequently result in a heap corruption.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-0861
    https://www.cve.org/CVERecord?id=CVE-2026-0861
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=33796

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: glibc
Source-Version: 2.42-8
Done: Aurelien Jarno <aurel32@debian.org>

We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1125678@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 16 Jan 2026 21:50:10 +0100
Source: glibc
Architecture: source
Version: 2.42-8
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Closes: 1125678
Changes:
 glibc (2.42-8) unstable; urgency=medium
 .
   [ Samuel Thibault ]
   * debian/testsuite-xfail-debian.mk: Avoid running tst-writev on hurd-amd64.
   * debian/patches/hurd-i386/git-sigreturn-xmm.diff: Fix sigreturn using xmm
     registers in the signal contention case.
   * debian/patches/hurd-i386/local-intr-msg-clobber.diff: Try to re-introduce
     mmx clobber work-around.
   * debian/testsuite-xfail-debian.mk: Update hurd results.
 .
   [ Aurelien Jarno ]
   * debian/rules.d/build.mk: do not write BUILD_CXX to configparms, it's
     unused.
   * debian/patches/git-updates.diff: update from upstream stable branch:
     - Fix and integer overflow in _int_memalign leading to heap corruption
       (CVE-2026-0861).  Closes: #1125678.
     - Fix stack contents leak in getnetbyaddr (CVE-2026-0915).
     - Optimize trylock for high cache contention workloads.
 .
   [ Helmut Grohne ]
   * debian/control.in/main: avoid g++ dependency in nocheck builds.
   * debian/control.in/main, rules, rules.d/build.mk: don't build nscd in
     stage2.
Checksums-Sha1:
 8f7059ddb744357eb7671be2b541d65f1b12b9dc 8848 glibc_2.42-8.dsc
 b882678221ac26e92170472d21ed396a5744ab6c 418452 glibc_2.42-8.debian.tar.xz
 447346c805da86f60cee210d19b1e0c75a490039 9465 glibc_2.42-8_source.buildinfo
Checksums-Sha256:
 aa5f310704d337b43846ab0423905a16c16c4a0cc31e17a7e98a397db62c28b7 8848 glibc_2.42-8.dsc
 49bd2a728a74b308843e470f21b9cfcdc3219e6d2ffd81b0f5ba7290ab1ef316 418452 glibc_2.42-8.debian.tar.xz
 6574e75d2f0084ae818b4d9a2fa91b29dc95aa17e3978bb6b9bb170475362c3b 9465 glibc_2.42-8_source.buildinfo
Files:
 b7ac9cc8039f4d0e80c352b93ac13297 8848 libs required glibc_2.42-8.dsc
 e7eb01f4bc1664dd1b66fa5ff1d04ceb 418452 libs required glibc_2.42-8.debian.tar.xz
 d410a863d10847a99050fe439464a280 9465 libs required glibc_2.42-8_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmlqpT8ACgkQE4jA+Jno
M2vB4g/8C0twLBQsTmP0+I0PouAO4CUkpIQ9NqAspV/NwEB0V+TMlrPBAnCjLXjm
G5bp76qn8Sd0REPrgATfWnGYgz0xlIJmtrXD1bilWIfZkp8xJhFEwpYafKz4QT1Z
WSEQUVPwlef1XFwGkdChSuYEdgqFp7nFFRwJ1GNDrFe51Q3FavMIaXTMXERf2lnG
UAMNdKoSlV2rLxvj8M6f1hKM8irkR++KXZVG2S4u3a1RNLpCyj/2zwi8NHfx6afH
UiysdxqrW15xLgfx8OBgocyOCQGBx0S0vLKK59YVopUFrNsYV+FoKisfkBeJpvoH
oIgnGDLN0xKuuLIhtuHT15JFQRPfXfCO0n6C75FgyWA1vJn28RjJaf5SBUqVthI0
Qda8LaOtQuypgUGhhLi8TjW26Q6V2qbsj2il5AbaY2XV0FZTswsX+vGHIfCZifBU
/XX3zyYF11bGxmkTtoJNyr7gGbAxFSB70rC5hUEdNVy/FAH8B8tWWIlIzQqUBUFx
DFUO51mlpdUTKPkC6rebYKxYPlohTiuE2eXde9mdlAcdvuh8n7xTqds0TLkbVP9n
l6swa9Qejs4RX9UUZulowESoxypHA4I2Mm4NA9cpTa6dHh8cute+TAYvVCXK7CGD
2UiA7FtupvCjmNZyr/AGBWwtxXgg1SpctMuTzKIlYu2oUOnR7Ao=
=UB5M
-----END PGP SIGNATURE-----

Attachment: pgp4U7kVu04vk.pgp
Description: PGP signature


--- End Message ---
Reply to: