Bug#1125748: marked as done (glibc: CVE-2026-0915)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 16 Jan 2026 23:06:28 +0100
with message-id <aWq2ZEkJ6B5OHS0D@aurel32.net>
and subject line Re: Bug#1125748: glibc: CVE-2026-0915
has caused the Debian Bug report #1125748,
regarding glibc: CVE-2026-0915
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1125748: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125748
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: glibc: CVE-2026-0915
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Fri, 16 Jan 2026 22:50:35 +0100
• Message-id: <[🔎] 176860023599.40118.8102680508164090111.reportbug@eldamar.lan>

Source: glibc
Version: 2.42-7
Severity: important
Tags: security upstream
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=33802
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.41-12+deb13u1
Control: found -1 2.41-12
Control: found -1 2.36-9+deb12u13
Control: found -1 2.36-9+deb12u7
Control: found -1 2.36-9

Hi,

The following vulnerability was published for glibc.

CVE-2026-0915[0]:
| Calling getnetbyaddr or getnetbyaddr_r with a configured
| nsswitch.conf that specifies the library's DNS backend for networks
| and queries for a zero-valued network in the GNU C Library version
| 2.0 to version 2.42 can leak stack contents to the configured DNS
| resolver.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-0915
    https://www.cve.org/CVERecord?id=CVE-2026-0915
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=33802

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 1125748-done@bugs.debian.org
• Subject: Re: Bug#1125748: glibc: CVE-2026-0915
• From: Aurelien Jarno <aurel32@debian.org>
• Date: Fri, 16 Jan 2026 23:06:28 +0100
• Message-id: <aWq2ZEkJ6B5OHS0D@aurel32.net>
• In-reply-to: <[🔎] 176860023599.40118.8102680508164090111.reportbug@eldamar.lan>
• References: <[🔎] 176860023599.40118.8102680508164090111.reportbug@eldamar.lan>

Version: 2.42-8

Hi,

On 2026-01-16 22:50, Salvatore Bonaccorso wrote:
> Source: glibc
> Version: 2.42-7
> Severity: important
> Tags: security upstream
> Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=33802
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> Control: found -1 2.41-12+deb13u1
> Control: found -1 2.41-12
> Control: found -1 2.36-9+deb12u13
> Control: found -1 2.36-9+deb12u7
> Control: found -1 2.36-9
> 
> Hi,
> 
> The following vulnerability was published for glibc.
> 
> CVE-2026-0915[0]:
> | Calling getnetbyaddr or getnetbyaddr_r with a configured
> | nsswitch.conf that specifies the library's DNS backend for networks
> | and queries for a zero-valued network in the GNU C Library version
> | 2.0 to version 2.42 can leak stack contents to the configured DNS
> | resolver.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

This was fix in unstable in version 2.42-8. Closing the bug accordingly.

Regards
Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                     http://aurel32.net

--- End Message ---