| Message ID | 20260408091626.3423299-1-Hemanth.KumarMD@windriver.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | glibc: stable 2.43 branch updates | expand |
Please set status for fixed CVEs via CVE_STATUS_STABLE_BACKPORTS, otherwise they will be still present in CVE reports. Peter -----Original Message----- From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Hemanth Kumar M D via lists.openembedded.org Sent: Wednesday, April 8, 2026 11:16 AM To: openembedded-core@lists.openembedded.org Cc: Sundeep.Kokkonda@windriver.com; Hemanth.KumarMD@windriver.com Subject: [OE-core] [PATCH] glibc: stable 2.43 branch updates From: Hemanth Kumar M D <Hemanth.KumarMD@windriver.com> $ git log --oneline 856c426a753450b8c6861a5b994a564f4fc16d4b..ce1013a197eb4a3b8ff2b07e0672f4d0b976ce7c ce1013a197 tests: fix tst-rseq with Linux 7.0 60cabd0464 riscv: Resolve calls to memcpy using memcpy-generic in early startup 02ffd413cf elf: Use dl-symbol-redir-ifunc.h instead _dl_strlen 2695314378 elf: parse /proc/self/maps as the last resort to find the gap for tst-link-map-contiguous-ldso dd9945c0ba resolv: Check hostname for validity (CVE-2026-4438) 5c6fca0c62 resolv: Count records correctly (CVE-2026-4437) 2be6cf2e75 posix: Run tst-wordexp-reuse-mem test 305ce0b588 aarch64: Tests for locking GCS 2ee41ba6ec aarch64: Lock GCS status at startup fa4a40c7d4 tests: aarch64: fix makefile dependencies for dlopen tests for BTI 9898ea58b5 malloc: Avoid accessing /sys/kernel/mm files c3ceb93dc4 Add BZ 33904 entry to NEWS 911bd469f8 debug: Fix build with --enable-fortify-source=1 (BZ 33904) 48f5a05a7a nss: Missing checks in __nss_configure_lookup, __nss_database_get (bug 28940) d6cb7ce0e9 Linux: In getlogin_r, use utmp fallback only for specific errors 140c760d71 nss: Introduce dedicated struct nss_database_for_fork type Testing Results: +--------------+--------+--------+------+ | Result | Before | After | Diff | +--------------+--------+--------+------+ | PASS | 6770 | 6774 | +4 | | XPASS | 4 | 4 | 0 | | FAIL | 29 | 28 | -1 | | XFAIL | 16 | 16 | 0 | | UNSUPPORTED | 489 | 490 | +1 | +--------------+--------+--------+------+ Changes in testcases: +------------------------------------------------------+--------+-------------+ | Testcase | Before | After | +------------------------------------------------------+--------+-------------+ | elf/tst-tls20 | FAIL | PASS | | posix/tst-wordexp-reuse-mem | N/A | PASS | | resolv/tst-resolv-invalid-ptr | N/A | PASS | | resolv/tst-resolv-dns-section | N/A | PASS | | nss/tst-nss-malloc-failure-getlogin_r | N/A | UNSUPPORTED | +------------------------------------------------------+--------+-------------+ Justification: commit - 2be6cf2e75 posix: Run tst-wordexp-reuse-mem test Fixes Makefile dependency to ensure the testcase is executed. Passing new testcase: +PASS: posix/tst-wordexp-reuse-mem commit - dd9945c0ba resolv: Check hostname for validity (CVE-2026-4438) Adds validation for hostname parsing and introduces a regression test. Passing new testcase: +PASS: resolv/tst-resolv-invalid-ptr commit - 5c6fca0c62 resolv: Count records correctly (CVE-2026-4437) Fixes DNS answer section parsing and adds a regression test. Passing new testcase: +PASS: resolv/tst-resolv-dns-section commit - 48f5a05a7a nss: Missing checks in __nss_configure_lookup, __nss_database_get (bug 28940) Fixes null pointer dereference and improves NSS handling. Added testcase: UNSUPPORTED: nss/tst-nss-malloc-failure-getlogin_r Signed-off-by: Hemanth Kumar M D <Hemanth.KumarMD@windriver.com> --- meta/recipes-core/glibc/glibc-version.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index 89be8fcb88..015e7943c5 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.43/master" PV = "2.43+git" -SRCREV_glibc ?= "856c426a753450b8c6861a5b994a564f4fc16d4b" +SRCREV_glibc ?= "ce1013a197eb4a3b8ff2b07e0672f4d0b976ce7c" SRCREV_localedef ?= "cba02c503d7c853a38ccfb83c57e343ca5ecd7e5" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https"
Hi Peter, Thanks for the suggestion. I had already checked the CVE reports, and these CVEs are not currently being reported there. Ref:https://lists.openembedded.org/g/openembedded-core/message/234641?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3ACr… <https://lists.openembedded.org/g/openembedded-core/message/234641?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3ACreated%2C%2COE-core+CVE+metrics+for+master%2C20%2C2%2C0%2C118682687> Would it still be preferred to add CVE_STATUS entries in such cases, or only when they appear in the reports? On 08-04-2026 03:13 pm, Marko, Peter wrote: > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and know the content is safe. > > Please set status for fixed CVEs via CVE_STATUS_STABLE_BACKPORTS, otherwise they will be still present in CVE reports. > Peter > > -----Original Message----- > From:openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Hemanth Kumar M D via lists.openembedded.org > Sent: Wednesday, April 8, 2026 11:16 AM > To:openembedded-core@lists.openembedded.org > Cc:Sundeep.Kokkonda@windriver.com;Hemanth.KumarMD@windriver.com > Subject: [OE-core] [PATCH] glibc: stable 2.43 branch updates > > From: Hemanth Kumar M D<Hemanth.KumarMD@windriver.com> > > $ git log --oneline 856c426a753450b8c6861a5b994a564f4fc16d4b..ce1013a197eb4a3b8ff2b07e0672f4d0b976ce7c > > ce1013a197 tests: fix tst-rseq with Linux 7.0 > 60cabd0464 riscv: Resolve calls to memcpy using memcpy-generic in early startup > 02ffd413cf elf: Use dl-symbol-redir-ifunc.h instead _dl_strlen > 2695314378 elf: parse /proc/self/maps as the last resort to find the gap for tst-link-map-contiguous-ldso > dd9945c0ba resolv: Check hostname for validity (CVE-2026-4438) > 5c6fca0c62 resolv: Count records correctly (CVE-2026-4437) > 2be6cf2e75 posix: Run tst-wordexp-reuse-mem test > 305ce0b588 aarch64: Tests for locking GCS > 2ee41ba6ec aarch64: Lock GCS status at startup > fa4a40c7d4 tests: aarch64: fix makefile dependencies for dlopen tests for BTI > 9898ea58b5 malloc: Avoid accessing /sys/kernel/mm files > c3ceb93dc4 Add BZ 33904 entry to NEWS > 911bd469f8 debug: Fix build with --enable-fortify-source=1 (BZ 33904) > 48f5a05a7a nss: Missing checks in __nss_configure_lookup, __nss_database_get (bug 28940) > d6cb7ce0e9 Linux: In getlogin_r, use utmp fallback only for specific errors > 140c760d71 nss: Introduce dedicated struct nss_database_for_fork type > > Testing Results: > +--------------+--------+--------+------+ > | Result | Before | After | Diff | > +--------------+--------+--------+------+ > | PASS | 6770 | 6774 | +4 | > | XPASS | 4 | 4 | 0 | > | FAIL | 29 | 28 | -1 | > | XFAIL | 16 | 16 | 0 | > | UNSUPPORTED | 489 | 490 | +1 | > +--------------+--------+--------+------+ > > Changes in testcases: > +------------------------------------------------------+--------+-------------+ > | Testcase | Before | After | > +------------------------------------------------------+--------+-------------+ > | elf/tst-tls20 | FAIL | PASS | > | posix/tst-wordexp-reuse-mem | N/A | PASS | > | resolv/tst-resolv-invalid-ptr | N/A | PASS | > | resolv/tst-resolv-dns-section | N/A | PASS | > | nss/tst-nss-malloc-failure-getlogin_r | N/A | UNSUPPORTED | > +------------------------------------------------------+--------+-------------+ > > Justification: > > commit - 2be6cf2e75 posix: Run tst-wordexp-reuse-mem test > Fixes Makefile dependency to ensure the testcase is executed. > Passing new testcase: > +PASS: posix/tst-wordexp-reuse-mem > > commit - dd9945c0ba resolv: Check hostname for validity (CVE-2026-4438) > Adds validation for hostname parsing and introduces a regression test. > Passing new testcase: > +PASS: resolv/tst-resolv-invalid-ptr > > commit - 5c6fca0c62 resolv: Count records correctly (CVE-2026-4437) > Fixes DNS answer section parsing and adds a regression test. > Passing new testcase: > +PASS: resolv/tst-resolv-dns-section > > commit - 48f5a05a7a nss: Missing checks in __nss_configure_lookup, __nss_database_get (bug 28940) > Fixes null pointer dereference and improves NSS handling. > Added testcase: > UNSUPPORTED: nss/tst-nss-malloc-failure-getlogin_r > > Signed-off-by: Hemanth Kumar M D<Hemanth.KumarMD@windriver.com> > --- > meta/recipes-core/glibc/glibc-version.inc | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc > index 89be8fcb88..015e7943c5 100644 > --- a/meta/recipes-core/glibc/glibc-version.inc > +++ b/meta/recipes-core/glibc/glibc-version.inc > @@ -1,6 +1,6 @@ > SRCBRANCH ?= "release/2.43/master" > PV = "2.43+git" > -SRCREV_glibc ?= "856c426a753450b8c6861a5b994a564f4fc16d4b" > +SRCREV_glibc ?= "ce1013a197eb4a3b8ff2b07e0672f4d0b976ce7c" > SRCREV_localedef ?= "cba02c503d7c853a38ccfb83c57e343ca5ecd7e5" > > GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https" > -- > 2.49.0 >
Hello, CVEs are being tracked and updated daily. Newest report already has them flagged as open. See https://valkyrie.yocto.io/pub/non-release/patchmetrics/ Please update their status. Peter From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Hemanth Kumar M D via lists.openembedded.org Sent: Wednesday, April 8, 2026 1:22 PM To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>; openembedded-core@lists.openembedded.org Cc: Sundeep.Kokkonda@windriver.com Subject: Re: [OE-core] [PATCH] glibc: stable 2.43 branch updates Hi Peter, Thanks for the suggestion. I had already checked the CVE reports, and these CVEs are not currently being reported there. Ref:https://lists.openembedded.org/g/openembedded-core/message/234641?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3ACr…<https://lists.openembedded.org/g/openembedded-core/message/234641?p=%2C%2C%2C20%2C0%2C0%2C0%3A%3ACreated%2C%2COE-core+CVE+metrics+for+master%2C20%2C2%2C0%2C118682687> Would it still be preferred to add CVE_STATUS entries in such cases, or only when they appear in the reports? On 08-04-2026 03:13 pm, Marko, Peter wrote: CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. Please set status for fixed CVEs via CVE_STATUS_STABLE_BACKPORTS, otherwise they will be still present in CVE reports. Peter -----Original Message----- From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org><mailto:openembedded-core@lists.openembedded.org> On Behalf Of Hemanth Kumar M D via lists.openembedded.org Sent: Wednesday, April 8, 2026 11:16 AM To: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> Cc: Sundeep.Kokkonda@windriver.com<mailto:Sundeep.Kokkonda@windriver.com>; Hemanth.KumarMD@windriver.com<mailto:Hemanth.KumarMD@windriver.com> Subject: [OE-core] [PATCH] glibc: stable 2.43 branch updates From: Hemanth Kumar M D <Hemanth.KumarMD@windriver.com><mailto:Hemanth.KumarMD@windriver.com> $ git log --oneline 856c426a753450b8c6861a5b994a564f4fc16d4b..ce1013a197eb4a3b8ff2b07e0672f4d0b976ce7c ce1013a197 tests: fix tst-rseq with Linux 7.0 60cabd0464 riscv: Resolve calls to memcpy using memcpy-generic in early startup 02ffd413cf elf: Use dl-symbol-redir-ifunc.h instead _dl_strlen 2695314378 elf: parse /proc/self/maps as the last resort to find the gap for tst-link-map-contiguous-ldso dd9945c0ba resolv: Check hostname for validity (CVE-2026-4438) 5c6fca0c62 resolv: Count records correctly (CVE-2026-4437) 2be6cf2e75 posix: Run tst-wordexp-reuse-mem test 305ce0b588 aarch64: Tests for locking GCS 2ee41ba6ec aarch64: Lock GCS status at startup fa4a40c7d4 tests: aarch64: fix makefile dependencies for dlopen tests for BTI 9898ea58b5 malloc: Avoid accessing /sys/kernel/mm files c3ceb93dc4 Add BZ 33904 entry to NEWS 911bd469f8 debug: Fix build with --enable-fortify-source=1 (BZ 33904) 48f5a05a7a nss: Missing checks in __nss_configure_lookup, __nss_database_get (bug 28940) d6cb7ce0e9 Linux: In getlogin_r, use utmp fallback only for specific errors 140c760d71 nss: Introduce dedicated struct nss_database_for_fork type Testing Results: +--------------+--------+--------+------+ | Result | Before | After | Diff | +--------------+--------+--------+------+ | PASS | 6770 | 6774 | +4 | | XPASS | 4 | 4 | 0 | | FAIL | 29 | 28 | -1 | | XFAIL | 16 | 16 | 0 | | UNSUPPORTED | 489 | 490 | +1 | +--------------+--------+--------+------+ Changes in testcases: +------------------------------------------------------+--------+-------------+ | Testcase | Before | After | +------------------------------------------------------+--------+-------------+ | elf/tst-tls20 | FAIL | PASS | | posix/tst-wordexp-reuse-mem | N/A | PASS | | resolv/tst-resolv-invalid-ptr | N/A | PASS | | resolv/tst-resolv-dns-section | N/A | PASS | | nss/tst-nss-malloc-failure-getlogin_r | N/A | UNSUPPORTED | +------------------------------------------------------+--------+-------------+ Justification: commit - 2be6cf2e75 posix: Run tst-wordexp-reuse-mem test Fixes Makefile dependency to ensure the testcase is executed. Passing new testcase: +PASS: posix/tst-wordexp-reuse-mem commit - dd9945c0ba resolv: Check hostname for validity (CVE-2026-4438) Adds validation for hostname parsing and introduces a regression test. Passing new testcase: +PASS: resolv/tst-resolv-invalid-ptr commit - 5c6fca0c62 resolv: Count records correctly (CVE-2026-4437) Fixes DNS answer section parsing and adds a regression test. Passing new testcase: +PASS: resolv/tst-resolv-dns-section commit - 48f5a05a7a nss: Missing checks in __nss_configure_lookup, __nss_database_get (bug 28940) Fixes null pointer dereference and improves NSS handling. Added testcase: UNSUPPORTED: nss/tst-nss-malloc-failure-getlogin_r Signed-off-by: Hemanth Kumar M D <Hemanth.KumarMD@windriver.com><mailto:Hemanth.KumarMD@windriver.com> --- meta/recipes-core/glibc/glibc-version.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index 89be8fcb88..015e7943c5 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.43/master" PV = "2.43+git" -SRCREV_glibc ?= "856c426a753450b8c6861a5b994a564f4fc16d4b" +SRCREV_glibc ?= "ce1013a197eb4a3b8ff2b07e0672f4d0b976ce7c" SRCREV_localedef ?= "cba02c503d7c853a38ccfb83c57e343ca5ecd7e5" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https" -- 2.49.0 -- Regards, Hemanth Kumar M D
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index 89be8fcb88..015e7943c5 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.43/master" PV = "2.43+git" -SRCREV_glibc ?= "856c426a753450b8c6861a5b994a564f4fc16d4b" +SRCREV_glibc ?= "ce1013a197eb4a3b8ff2b07e0672f4d0b976ce7c" SRCREV_localedef ?= "cba02c503d7c853a38ccfb83c57e343ca5ecd7e5" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https"