* Aurelien Jarno: > On 2021-06-04 20:34, Florian Weimer wrote: >> * Moritz Mühlenhoff: >> >> > Am Wed, Sep 09, 2020 at 12:30:44PM +0200 schrieb Aurelien Jarno: >> >> control: forcemerge 967938 969926 >> >> >> >> Hi, >> >> >> >> On 2020-09-09 02:58, Bernd Zeimetz wrote: >> >> > Source: glibc >> >> > Version: 2.28-10 >> >> > Severity: serious >> >> > Tags: security upstream patch >> >> > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> >> >> > >> >> > Hi, >> >> > >> >> > we are running into the bug >> >> > https://sourceware.org/bugzilla/show_bug.cgi?id=20338 >> >> > causing systemd-sysusers to segfault. >> >> > >> >> > Patch is available in the linked bug report. >> >> >> >> This has already been reported, Florian will work on a backport, as it >> >> is not straightforward to backport it to buster due to the usage of >> >> private symbols. >> > >> > Florian, did you manage to backport this to 2.31? It would be nice to get >> > this >> > fixed for a Buster point release still. >> >> Do you mean 2.28? DJ Delorie did the backport, and Carlos O'Donell >> implemented the GLIBC_PRIVATE ABI compatibility fix. I'll see if I >> can get the patches to apply to Debian's 2.28 tree. > > Is it possible to commit those patches to the upstream 2.28 branch? If > so, I guess we can simply pull the branch in the Debian package, fixing > many other security bugs at the same time.
I'm concerned about the GLIBC_PRIVATE internal ABI change, it causes issues if the update is applied without a reboot: glibc: After upgrade, before reboot, systemd services using USER= do not start (caused by fix for bug 1871397) <https://bugzilla.redhat.com/show_bug.cgi?id=1927040> I guess we can use Carlos' patch for upstream as well. However, I would also have to backport it to 2.28, 2.29, 2.30, 2.31, so that we have bug fix monotonicity. 2.31 is probably doable, which should help bullseye. It's mostly a psychological thing for me, I'm very busy with getting patches into glibc 2.34 at work, and downstream Debian work would be at least slightly different.
