[opensuse] Now what? Glibc bug, vulnerability
Extremely severe bug leaves dizzying number of software and devices vulnerable Since 2008, vulnerability has left apps and hardware open to remote hijacking. by Dan Goodin - Feb 16, 2016 http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying... Now what? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/17/2016 12:00 AM, Stevens wrote:
Extremely severe bug leaves dizzying number of software and devices vulnerable Since 2008, vulnerability has left apps and hardware open to remote hijacking.
by Dan Goodin - Feb 16, 2016
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying...
Now what?
did you see any specifc example of it running malicious code? All I saw was a crash. -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Feb 17, 2016 at 12:15:53AM -0500, Ruben Safir wrote:
On 02/17/2016 12:00 AM, Stevens wrote:
Extremely severe bug leaves dizzying number of software and devices vulnerable Since 2008, vulnerability has left apps and hardware open to remote hijacking.
by Dan Goodin - Feb 16, 2016
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying...
Now what?
did you see any specifc example of it running malicious code? All I saw was a crash.
Updates are being prepared and will likely be published today. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/17/2016 02:50 AM, Marcus Meissner wrote:
Updates are being prepared and will likely be published today.
Really, this raises a couple of questions" 1. It was introduced in 2008. How come? Did not-one review the code change and see the buffer overflow back then? 2. It wasn't detected until now. How come? Has no-one reviewed the code since then? Its not as if this is a rarely used piece of code in an application used by only a few people to add eye-candy to a desktop! This is core Internet handling code! <quote> To the surprise of the Google researchers, they soon learned that glibc maintainers had been alerted to the vulnerability last July. </quote> and later <quote> It remains unclear why or how glibc maintainers allowed a bug of this magnitude to be introduced into their code, remain undiscovered for seven years, and then go unfixed for seven months following its report. By Google's account, the bug was independently uncovered by at least two and possibly three separate groups who all worked to have it fixed. It wouldn't be surprising if over the years the vulnerability was uncovered by additional people and possibly exploited against unsuspecting targets. </quote> And only *NOW* is it considered to be a serious issue and hurry up and fix it. What was that about woodpeckers ... Ah yes, Gerry Weinberg attributed with the quote in: Murali Chemuturi (2010) Mastering Software Quality Assurance: Best Practices, Tools and Technique for Software Developers. p. ix This http://cafbit.com/entry/reinventing_software_for_security attributes many of the problems we have with 'memory' wrt secuyrity to the use of C and C++. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/17/2016 03:50 PM, Anton Aylward wrote:
Really, this raises a couple of questions"
1. It was introduced in 2008. How come? Did not-one review the code change and see the buffer overflow back then?
2. It wasn't detected until now. How come? Has no-one reviewed the code since then?
the asnwer is easy: I did not have a look at the code, and I guess you haven't either ... and the same applies to the rest of the world. It's always a matter of statistics - when implementing 1000 lines of code, then you introduce a certain number of bugs. There's no point of looking back for the "why?" here IMO - just fix it, and continue. Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/17/2016 10:16 AM, Bernhard Voelker wrote:
the asnwer is easy: I did not have a look at the code, and I guess you haven't either ... and the same applies to the rest of the world.
So much for Raymond's proposition that "given enough eyeballs, all bugs are shallow"! But you haven't answered a few parts of that quesation. This is old code that was revised and the revision broke it. It worked before, why was it changed to something that was broken? Buffer overflow is one of the classic programming bugs. We have scanners that search code for it. Next up: if this was found so long ago why is it only now that it is being fixed? http://bazaar.launchpad.net/~vcs-imports/glibc/master/revision/25149 -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/17/2016 08:16 AM, Anton Aylward wrote:
On 02/17/2016 10:16 AM, Bernhard Voelker wrote:
the asnwer is easy: I did not have a look at the code, and I guess you haven't either ... and the same applies to the rest of the world.
So much for Raymond's proposition that "given enough eyeballs, all bugs are shallow"!
But you haven't answered a few parts of that quesation.
This is old code that was revised and the revision broke it. It worked before, why was it changed to something that was broken?
Buffer overflow is one of the classic programming bugs. We have scanners that search code for it.
Next up: if this was found so long ago why is it only now that it is being fixed?
I suggest this is the wrong forum to post those questions. I doubt any of us here could answer them, and its even less likely anyone associated with opensuse was responsible. Many bugs are introduced in fixes, but until or unless the bug causes wrong results its unlikely to be detected. Just how good are these scanners? I've used these scanners in the past and the output was overwhelming. In one scanner that I used, unless EACH reference to a particular buffer operation was range-tested, it would spew hundreds of warnings that had to be checked manually. It invariably turned out that the programmer had indeed range tested the pointers, a dozen lines previously, in straight line code, and to add injury to insult, actually inserting the recommend range checks (dozens of them) would increase the size of the code dramatically, while reducing the speed significantly. If the tools are as good as you suggest, wouldn't that be something a novice could run against source code as their contribution to opensource? -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/17/2016 09:50 AM, Anton Aylward wrote:
It remains unclear why or how glibc maintainers allowed a bug of this magnitude to be introduced into their code, remain undiscovered for seven years, and then go unfixed for seven months following its report
this is someones opinion and not a very valuable one either. -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Looks like the patch for this is out for SLE11 and 12 now, I would assume that oS isn't far behind: │Patch: slessp3-glibc-12406 Kind: security Version: 1 ┬ │ │ │This update for glibc fixes the following issues: - CVE-2015-7547: A stack-based buffer overflow in getaddrinfo allowed remote attackers to │ │cause a crash or execute arbitrary code via crafted and timed DNS responses (bsc#961721) - CVE-2015-8777: Insufficient checking of │ │LD_POINTER_GUARD environment variable allowed local attackers to bypass the pointer guarding protection of the dynamic loader on set-user-ID│ │and set-group-ID programs (bsc#950944) - CVE-2015-8776: Out-of-range time values passed to the strftime function may cause it to crash, │ │leading to a denial of service, or potentially disclosure information (bsc#962736) - CVE-2015-8778: Integer overflow in hcreate and │ │hcreate_r could have caused an out-of-bound memory access. leading to application crashes or, potentially, arbitrary code execution ┴ │(bsc#962737) - CVE-2014-9761: A stack overflow (unbounded alloca) could have caused applications which process long strings with the nan │ │function to crash or, potentially, execute arbitrary code. (bsc#962738) - CVE-2015-8779: A stack overflow (unbounded alloca) in the catopen │ │function could have caused applications which pass long strings to the catopen function to crash or, potentially execute arbitrary code. │ │(bsc#962739) The following non-security bugs were fixed: - bsc#930721: Accept leading and trailing spaces in getdate input string - │ │bsc#942317: Recognize power8 platform - bsc#950944: Always enable pointer guard - bsc#956988: Fix deadlock in __dl_iterate_phdr │ │ │ │References: │ │962737 (bugzilla): VUL-1: CVE-2015-8778: glibc: hcreate((size_t)-1) should fail with ENOMEM │962736 (bugzilla): VUL-1: CVE-2015-8776: glibc: Passing out of range data to strftime() causes a segfault │ │961721 (bugzilla): VUL-0: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow │ │962738 (bugzilla): VUL-1: CVE-2014-9761: glibc: nan function unbounded stack allocation │ │942317 (bugzilla): SLES11 SP4 on Power8 uses unoptimized glibc variant -- regression from SLES11 SP3 (found by tests of SAP HANA on POWER) │ │950944 (bugzilla): VUL-1: CVE-2015-8777: glibc: pointer guarding weakness │ │956988 (bugzilla): Partner-L3: SLES 11 SP4: deadlock in __dl_iterate_phdr caused by 'dl_load_lock' │ │962739 (bugzilla): VUL-1: CVE-2015-8779: glibc: catopen() Multiple unbounded stack allocations ┬ │930721 (bugzilla): LSB: getdate does not accept leading and trailing whitespaces │ │CVE-2015-8777 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8777 │ │CVE-2015-8779 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8779 │ │CVE-2015-8778 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8778 │ │CVE-2015-8776 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8776 │ │CVE-2015-7547 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547 │ │CVE-2014-9761 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9761 ┌────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐ │Patch: SUSE-SLE-SERVER-12-2016-272 Kind: security Version: 1 ┬ │ │ │ │ │This update for glibc fixes the following security issues: │ │ │ │- CVE-2015-7547: A stack-based buffer overflow in getaddrinfo allowed remote attackers to cause a crash or execute arbitrary code via crafte│ │- CVE-2015-8777: Insufficient checking of LD_POINTER_GUARD environment variable allowed local attackers to bypass the pointer guarding prote┴ │- CVE-2015-8776: Out-of-range time values passed to the strftime function may cause it to crash, leading to a denial of service, or potentia│ │- CVE-2015-8778: Integer overflow in hcreate and hcreate_r could have caused an out-of-bound memory access. leading to application crashes o│ │- CVE-2014-9761: A stack overflow (unbounded alloca) could have caused applications which process long strings with the nan function to cras│ │- CVE-2015-8779: A stack overflow (unbounded alloca) in the catopen function could have caused applications which pass long strings to the c│ │ │ │The following non-security bugs were fixed: │ │ │ │- bsc#955647: Resource leak in resolver │ │- bsc#956716: Don't do lock elision on an error checking mutex │ │- bsc#958315: Reinitialize dl_load_write_lock on fork │ │ │ │References: │ │961721 (bugzilla): VUL-0: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow │ │962737 (bugzilla): VUL-1: CVE-2015-8778: glibc: hcreate((size_t)-1) should fail with ENOMEM │ │962736 (bugzilla): VUL-1: CVE-2015-8776: glibc: Passing out of range data to strftime() causes a segfault │ │956716 (bugzilla): Partner-L3: Issue with lock elision and 3rd party software ┬ │962738 (bugzilla): VUL-1: CVE-2014-9761: glibc: nan function unbounded stack allocation │ │950944 (bugzilla): VUL-1: glibc: pointer guarding weakness │ │962739 (bugzilla): VUL-1: CVE-2015-8779: glibc: catopen() Multiple unbounded stack allocations │ │958315 (bugzilla): dl_load_write_lock isn't reinitialised during fork │ │955647 (bugzilla): Resource leak in resolver │ │CVE-2014-9761 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9761 ┴ │CVE-2015-8779 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8779 │ │CVE-2015-8778 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8778 │ │CVE-2015-7547 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547 │ │CVE-2015-8777 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8777 │ │CVE-2015-8776 (cve): http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8776 ┴ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Feb 17, 2016 at 12:00 AM, Stevens <fred-n-sandy@myrhinomail.com> wrote:
Extremely severe bug leaves dizzying number of software and devices vulnerable Since 2008, vulnerability has left apps and hardware open to remote hijacking.
by Dan Goodin - Feb 16, 2016
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying...
Now what?
I read that article. It's not clear if an exploit other than crashing a piece of software has been developed. Does anyone know if an exploit that allows remote access to data is possible? You may remember the heartbleed exploit allowed random bits of RAM to be accessed. By doing that thousands of times an attacker was often able to get private security keys that were in RAM. That's the sort of known exploit I'm asking about. Thanks Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 17/02/16 um 19:56 schrieb Greg Freemyer:
On Wed, Feb 17, 2016 at 12:00 AM, Stevens <fred-n-sandy@myrhinomail.com> wrote:
Extremely severe bug leaves dizzying number of software and devices vulnerable Since 2008, vulnerability has left apps and hardware open to remote hijacking.
by Dan Goodin - Feb 16, 2016
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying...
Now what?
I read that article. It's not clear if an exploit other than crashing a piece of software has been developed.
Does anyone know if an exploit that allows remote access to data is possible? You may remember the heartbleed exploit allowed random bits of RAM to be accessed. By doing that thousands of times an attacker was often able to get private security keys that were in RAM. That's the sort of known exploit I'm asking about.
Thanks Greg
Which OpenSuSE versions will get a fix for CVE-2015-7547 and when? Best regards ME -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Feb 17, 2016 at 08:47:55PM +0100, MarkusGMX wrote:
Am 17/02/16 um 19:56 schrieb Greg Freemyer:
On Wed, Feb 17, 2016 at 12:00 AM, Stevens <fred-n-sandy@myrhinomail.com> wrote:
Extremely severe bug leaves dizzying number of software and devices vulnerable Since 2008, vulnerability has left apps and hardware open to remote hijacking.
by Dan Goodin - Feb 16, 2016
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying...
Now what?
I read that article. It's not clear if an exploit other than crashing a piece of software has been developed.
Does anyone know if an exploit that allows remote access to data is possible? You may remember the heartbleed exploit allowed random bits of RAM to be accessed. By doing that thousands of times an attacker was often able to get private security keys that were in RAM. That's the sort of known exploit I'm asking about.
Thanks Greg
Which OpenSuSE versions will get a fix for CVE-2015-7547 and when?
Leap has received the update this morning. 13.2 is still building due to secondary architectures (ppc, aarch64) being slow. A Tumbleweed request is also open, unclear how fast it will pass through the integration infrastructure. Ciao, MArcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Meissner <meissner@suse.de> schrieb am 20:49 Mittwoch, 17.Februar 2016:
On Wed, Feb 17, 2016 at 08:47:55PM +0100, MarkusGMX wrote:
Which OpenSuSE versions will get a fix for CVE-2015-7547 and when?
Leap has received the update this morning.
13.2 is still building due to secondary architectures (ppc, aarch64) being slow.
A Tumbleweed request is also open, unclear how fast it will pass through the integration infrastructure.
What about OpenSuSE 13.1? Btw. I made an update today and suddenly X11 and KDE did not show up. SuSE 13.1 Turned out that NFS clients that I added some time ago were not present, SuSE 13.1 waiting for quite some time at bootup, X11 showing some timeout and then: no KDE :-( Removed the NFS clients and X11+KDE worked again. What was changed on SuSE side in this case so that the complete boot process seems to be different? Why such timeouts in X11? This was working up to now without such hickups. Thx in advance Pete -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/17/2016 03:33 PM, Peter Maffter wrote:
Marcus Meissner <meissner@suse.de> schrieb am 20:49 Mittwoch, 17.Februar 2016:
On Wed, Feb 17, 2016 at 08:47:55PM +0100, MarkusGMX wrote:
Which OpenSuSE versions will get a fix for CVE-2015-7547 and when?
Leap has received the update this morning.
13.2 is still building due to secondary architectures (ppc, aarch64) being slow.
A Tumbleweed request is also open, unclear how fast it will pass through the integration infrastructure.
What about OpenSuSE 13.1?
Btw. I made an update today and suddenly X11 and KDE did not show up. SuSE 13.1 Turned out that NFS clients that I added some time ago were not present, SuSE 13.1 waiting for quite some time at bootup, X11 showing some timeout and then: no KDE :-( Removed the NFS clients and X11+KDE worked again. What was changed on SuSE side in this case so that the complete boot process seems to be different? Why such timeouts in X11? This was working up to now without such hickups.
Thx in advance Pete
I've had weird things happen in 13.2 lately as well. I go out of my way to lock a specific version of Unison, because all participants have to be running the same version, yet twice in the last 4 days something has unlocked that version and tries to update unison. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 18/02/16 00:33, Peter Maffter wrote:
What about OpenSuSE 13.1?
Btw. I made an update today and suddenly X11 and KDE did not show up. SuSE 13.1 Turned out that NFS clients that I added some time ago were not present, SuSE 13.1 waiting for quite some time at bootup, X11 showing some timeout and then: no KDE :-( Removed the NFS clients and X11+KDE worked again. What was changed on SuSE side in this case so that the complete boot process seems to be different? Why such timeouts in X11? This was working up to now without such hickups.
On my 13.1 production machine, after the big systemd 208 -> 210 update the other week (apparently the last official 13.1 update before Evergreen), boot now takes twice as long. I have an old dual core laptop with an Intel 530 SSD upgrade. When I first installed 13.1 on the fresh drive, boot (post-GRUB, pre-login) took a mere couple of seconds. It slowed over time. Now since this last update it takes about twenty. gumb -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/18/2016 01:43 AM, gumb wrote:
On 18/02/16 00:33, Peter Maffter wrote:
What about OpenSuSE 13.1?
On my 13.1 production machine, after the big systemd 208 -> 210 update the other week
I think this one is faulty. I have tabooed it in my system. -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/17/2016 08:49 PM, Marcus Meissner wrote:
Leap has received the update this morning.
13.2 is still building due to secondary architectures (ppc, aarch64) being slow.
A Tumbleweed request is also open, unclear how fast it will pass through the integration infrastructure.
Ciao, MArcus
Still building? I don't see updates for 13.2. Thank you
On Thu, Feb 18, 2016 at 03:13:36PM +0100, Florian Gleixner wrote:
On 02/17/2016 08:49 PM, Marcus Meissner wrote:
Leap has received the update this morning.
13.2 is still building due to secondary architectures (ppc, aarch64) being slow.
A Tumbleweed request is also open, unclear how fast it will pass through the integration infrastructure.
Ciao, MArcus
Still building? I don't see updates for 13.2.
In openSUSE:Maintenance:4693 ... :/ Due to high OBS load (lot of checkins in the factory stagings) it is not progressing as fast as wanted. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Meissner <meissner@suse.de> schrieb am 15:25 Donnerstag, 18.Februar 2016:
On Thu, Feb 18, 2016 at 03:13:36PM +0100, Florian Gleixner wrote: ... Still building? I don't see updates for 13.2.
In openSUSE:Maintenance:4693 ... :/
Due to high OBS load (lot of checkins in the factory stagings) it is not progressing as fast as wanted.
Ciao, Marcus
Will OpenSuSE 13.1 also be updated? BR Pete -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 19.02.2016 um 00:50 schrieb Peter Maffter:
Marcus Meissner <meissner@suse.de> schrieb am 15:25 Donnerstag, 18.Februar 2016:
On Thu, Feb 18, 2016 at 03:13:36PM +0100, Florian Gleixner wrote: ... Still building? I don't see updates for 13.2.
In openSUSE:Maintenance:4693 ... :/
Due to high OBS load (lot of checkins in the factory stagings) it is not progressing as fast as wanted.
Ciao, Marcus
Will OpenSuSE 13.1 also be updated?
Yes. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 19/02/16 um 07:07 schrieb Wolfgang Rosenauer:
Am 19.02.2016 um 00:50 schrieb Peter Maffter:
Marcus Meissner <meissner@suse.de> schrieb am 15:25 Donnerstag, 18.Februar 2016:
On Thu, Feb 18, 2016 at 03:13:36PM +0100, Florian Gleixner wrote: ... Still building? I don't see updates for 13.2.
In openSUSE:Maintenance:4693 ... :/
Due to high OBS load (lot of checkins in the factory stagings) it is not progressing as fast as wanted.
Ciao, Marcus
Will OpenSuSE 13.1 also be updated?
Yes.
Are there already timeplans for 13.2 and 13.1 when the updates will be ready? BR Markus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Feb 20, 2016 at 02:00:25PM +0100, Markus Egg wrote:
Am 19/02/16 um 07:07 schrieb Wolfgang Rosenauer:
Am 19.02.2016 um 00:50 schrieb Peter Maffter:
Marcus Meissner <meissner@suse.de> schrieb am 15:25 Donnerstag, 18.Februar 2016:
On Thu, Feb 18, 2016 at 03:13:36PM +0100, Florian Gleixner wrote: ... Still building? I don't see updates for 13.2.
In openSUSE:Maintenance:4693 ... :/
Due to high OBS load (lot of checkins in the factory stagings) it is not progressing as fast as wanted.
Ciao, Marcus
Will OpenSuSE 13.1 also be updated?
Yes.
Are there already timeplans for 13.2 and 13.1 when the updates will be ready?
They were released last week. http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00041.html Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/20/2016 05:06 AM, Marcus Meissner wrote:
On Sat, Feb 20, 2016 at 02:00:25PM +0100, Markus Egg wrote:
Am 19/02/16 um 07:07 schrieb Wolfgang Rosenauer:
Am 19.02.2016 um 00:50 schrieb Peter Maffter:
Marcus Meissner <meissner@suse.de> schrieb am 15:25 Donnerstag, 18.Februar 2016:
On Thu, Feb 18, 2016 at 03:13:36PM +0100, Florian Gleixner wrote: ... Still building? I don't see updates for 13.2.
In openSUSE:Maintenance:4693 ... :/
Due to high OBS load (lot of checkins in the factory stagings) it is not progressing as fast as wanted.
Ciao, Marcus
Will OpenSuSE 13.1 also be updated?
Yes.
Are there already timeplans for 13.2 and 13.1 when the updates will be ready?
They were released last week.
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00041.html
Ciao, Marcus
Are there no packages in common usage where the glibc library routines are linked directly into the executables? Someone told me this was possible, but I have no clue. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/20/2016 07:46 PM, John Andersen wrote:
Are there no packages in common usage where the glibc library routines are linked directly into the executables?
Someone told me this was possible, but I have no clue.
AFAIK, this is only done by proprietary packages, so that they distribute a single binary package for all the distributions. It may be done also by some programs intended for rescue operations. Normally, anything distributed by openSUSE is using dynamic, runtime, linking. I think there is a policy about this. -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Feb 20, 2016 at 1:59 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
On 02/20/2016 07:46 PM, John Andersen wrote:
Are there no packages in common usage where the glibc library routines are linked directly into the executables?
Someone told me this was possible, but I have no clue.
AFAIK, this is only done by proprietary packages, so that they distribute a single binary package for all the distributions. It may be done also by some programs intended for rescue operations.
Normally, anything distributed by openSUSE is using dynamic, runtime, linking. I think there is a policy about this.
A static library is still a library. Shared libs are *.so Statics are *.a. Look around your system and see if you have a glibc*.a file anywhere. In theory they should be in one of the lib folders, so you don't have that many places to look. Anyway that policy is a "written policy", but as with many policies there are counter-examples. For factory (Tumbleweed) at least, glibc does have a formal static lib RPM: glibc-devel-static If you look at the below page you can see the couple of packages in factory that actually link against it officially. https://build.opensuse.org/package/binary/openSUSE:Factory/glibc?arch=x86_64... Those packages will see the updated glib-devel-static rpm and will rebuild and be published automatically. There could also be packages not in the distro that link against it so that could be a concern. If you are concerned, just make sure the older version of the glibc-devel-static library is uninstalled (ie. updated to the new release.) I would also do a full search across your machine and make sure you don't have the static lib if its not needed: find / -name glibc\*.a Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
21.02.2016 00:47, Greg Freemyer пишет:
On Sat, Feb 20, 2016 at 1:59 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
On 02/20/2016 07:46 PM, John Andersen wrote:
Are there no packages in common usage where the glibc library routines are linked directly into the executables?
Someone told me this was possible, but I have no clue.
AFAIK, this is only done by proprietary packages, so that they distribute a single binary package for all the distributions. It may be done also by some programs intended for rescue operations.
Normally, anything distributed by openSUSE is using dynamic, runtime, linking. I think there is a policy about this.
A static library is still a library. Shared libs are *.so Statics are *.a. Look around your system and see if you have a glibc*.a file anywhere.
And how does it matter? How having static library on your system is related to having programs statically linked with this library? Static library is needed on build system to link with; it is not needed on target system where program is installed. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/20/2016 01:53 PM, Andrei Borzenkov wrote:
21.02.2016 00:47, Greg Freemyer пишет:
On Sat, Feb 20, 2016 at 1:59 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
On 02/20/2016 07:46 PM, John Andersen wrote:
Are there no packages in common usage where the glibc library routines are linked directly into the executables?
Someone told me this was possible, but I have no clue.
AFAIK, this is only done by proprietary packages, so that they distribute a single binary package for all the distributions. It may be done also by some programs intended for rescue operations.
Normally, anything distributed by openSUSE is using dynamic, runtime, linking. I think there is a policy about this.
A static library is still a library. Shared libs are *.so Statics are *.a. Look around your system and see if you have a glibc*.a file anywhere.
And how does it matter? How having static library on your system is related to having programs statically linked with this library? Static library is needed on build system to link with; it is not needed on target system where program is installed.
And that's the part that is concerning. We might expect updates to packages from opensuse for those that detect the need to be recompiled. But I suppose there might be others that continue to operate on their own linked in copies within binary packages without reference to the libraries. I only run a few such things where I don't have Opensuse to look for static linked things. Vmware (paid) Google Earth, Google Chrome are all that spring to mind. I would expect google to fix their stuff, but Vmware fired all their main staff in a reorg. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/20/2016 10:47 PM, Greg Freemyer wrote:
On Sat, Feb 20, 2016 at 1:59 PM, Carlos E. R. <> wrote:
I would also do a full search across your machine and make sure you don't have the static lib if its not needed:
I believe this only matters if you build locally and statically against it. -- Cheers / Saludos, Carlos E. R. (from openSUSE Leap 42.1 x86_64 (test)) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 20/02/2016 23:47, Greg Freemyer wrote:
A static library is still a library. Shared libs are *.so Statics are *.a. Look around your system and see if you have a glibc*.a file anywhere. In theory they should be in one of the lib folders, so you don't have that many places to look. If an application links to a static library the library code is part of the application so you won't find any trace of it on your system, if you have a static devel library on your system you will find the .la or .a binaries on your system in the lib folder i.e glibc-devel-static.
Dave P -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, Feb 20, 2016 at 10:46:22AM -0800, John Andersen wrote:
On 02/20/2016 05:06 AM, Marcus Meissner wrote:
On Sat, Feb 20, 2016 at 02:00:25PM +0100, Markus Egg wrote:
Am 19/02/16 um 07:07 schrieb Wolfgang Rosenauer:
Am 19.02.2016 um 00:50 schrieb Peter Maffter:
Marcus Meissner <meissner@suse.de> schrieb am 15:25 Donnerstag, 18.Februar 2016: > On Thu, Feb 18, 2016 at 03:13:36PM +0100, Florian Gleixner wrote: ... > Still building? I don't see updates for 13.2.
In openSUSE:Maintenance:4693 ... :/
Due to high OBS load (lot of checkins in the factory stagings) it is not progressing as fast as wanted.
Ciao, Marcus
Will OpenSuSE 13.1 also be updated?
Yes.
Are there already timeplans for 13.2 and 13.1 when the updates will be ready?
They were released last week.
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00042.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00041.html
Ciao, Marcus
Are there no packages in common usage where the glibc library routines are linked directly into the executables?
No. A very very small set of packages links glibc statically, usually this is limited to the bootloader and related packages.
Someone told me this was possible, but I have no clue.
Especially with the dynamically loaded resolver, which is at problem here, this is likely not the cause. ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/20/2016 08:00 AM, Markus Egg wrote:
Am 19/02/16 um 07:07 schrieb Wolfgang Rosenauer:
Am 19.02.2016 um 00:50 schrieb Peter Maffter:
Marcus Meissner <meissner@suse.de> schrieb am 15:25 Donnerstag, 18.Februar 2016:
On Thu, Feb 18, 2016 at 03:13:36PM +0100, Florian Gleixner wrote: ... Still building? I don't see updates for 13.2.
In openSUSE:Maintenance:4693 ... :/
Due to high OBS load (lot of checkins in the factory stagings) it is not progressing as fast as wanted.
Ciao, Marcus
Will OpenSuSE 13.1 also be updated?
Yes.
Are there already timeplans for 13.2 and 13.1 when the updates will be ready?
Yesterday? Information for package glibc: ------------------------------ Repository: openSUSE-13.1-Update Name: glibc Version: 2.18-4.41.2 Arch: x86_64 Vendor: openSUSE Installed: Yes Status: up-to-date Installed Size: 6.3 MiB Summary: Standard Shared Libraries (from the GNU C Library) Description: The GNU C Library provides the most important standard libraries used by nearly all programs: the standard C library, the standard math library, and the POSIX thread library. A system is not functional without these libraries. anton@Mainbox:~> rpm -q --last glibc glibc-2.18-4.41.2.x86_64 Fri 19 Feb 2016 12:22:55 PM EST In fact, for completeness ... anton@Mainbox:~> for i in $(rpm -qa | grep glibc)
do rpm -q --last $i done glibc-i18ndata-2.18-4.41.2.noarch Fri 19 Feb 2016 12:23:13 PM EST glibc-extra-2.18-4.41.2.x86_64 Fri 19 Feb 2016 12:24:13 PM EST glibc-2.18-4.41.2.x86_64 Fri 19 Feb 2016 12:22:55 PM EST glibc-devel-2.18-4.41.2.x86_64 Fri 19 Feb 2016 12:24:27 PM EST linux-glibc-devel-3.11-2.1.15.noarch Thu 16 Apr 2015 01:42:07 PM EDT glibc-32bit-2.18-4.41.1.x86_64 Fri 19 Feb 2016 12:23:04 PM EST glibc-locale-2.18-4.41.2.x86_64 Fri 19 Feb 2016 12:24:10 PM EST glibc-locale-32bit-2.18-4.41.1.x86_64 Fri 19 Feb 2016 12:24:32 PM EST
-- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Meissner <meissner@suse.de> writes: Hi Marcus:
A Tumbleweed request is also open, unclear how fast it will pass through the integration infrastructure.
Any idea on the ETA of this. This is a serious bug. Thanks. Charles -- "The move was on to 'Free the Lizard'" -- Jim Hamerly and Tom Paquin (Open Sources, 1999 O'Reilly and Associates)
On 02/19/2016 09:02 AM, Charles Philip Chan wrote:
Marcus Meissner <meissner@suse.de> writes:
Hi Marcus:
A Tumbleweed request is also open, unclear how fast it will pass through the integration infrastructure. Any idea on the ETA of this. This is a serious bug.
Thanks.
Charles
The TW update came thru on my machine a little over 1 hour ago. Regards, sdm -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Feb 19, 2016 at 12:02:49PM -0500, Charles Philip Chan wrote:
Marcus Meissner <meissner@suse.de> writes:
Hi Marcus:
A Tumbleweed request is also open, unclear how fast it will pass through the integration infrastructure.
Any idea on the ETA of this. This is a serious bug.
It was released yesterday. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Meissner <meissner@suse.de> writes:
It was released yesterday.
Hum... strange, just did a "zypper dup" and I don't see it: ,----[ Output of "rpm -qi glibc" ] | Name : glibc | Version : 2.22 | Release : 6.2 | Architecture: x86_64 | Install Date: Thu Jan 28 03:28:45 2016 | Group : System/Libraries | Size : 6800264 | License : LGPL-2.1+ and SUSE-LGPL-2.1+-with-GCC-exception and GPL-2.0+ | Signature : RSA/SHA256, Sun Jan 17 18:47:56 2016, Key ID b88b2fd43dbdc284 | Source RPM : glibc-2.22-6.2.src.rpm | Build Date : Sun Jan 17 18:42:04 2016 | Build Host : cloud112 | Relocations : (not relocatable) | Packager : http://bugs.opensuse.org | Vendor : openSUSE | URL : http://www.gnu.org/software/libc/libc.html | Summary : Standard Shared Libraries (from the GNU C Library) | Description : | The GNU C Library provides the most important standard libraries used | by nearly all programs: the standard C library, the standard math | library, and the POSIX thread library. A system is not functional | without these libraries. | Distribution: openSUSE Factory `---- Charles -- "The IETF motto is 'rough consensus and running code'" -- Scott Bradner (Open Sources, 1999 O'Reilly and Associates)
* Charles Philip Chan <cpchan@bell.net> [02-19-16 12:17]:
Marcus Meissner <meissner@suse.de> writes:
It was released yesterday.
Hum... strange, just did a "zypper dup" and I don't see it:
,----[ Output of "rpm -qi glibc" ] | Name : glibc | Version : 2.22 | Release : 6.2 | Architecture: x86_64 | Install Date: Thu Jan 28 03:28:45 2016 | Group : System/Libraries | Size : 6800264 | License : LGPL-2.1+ and SUSE-LGPL-2.1+-with-GCC-exception and GPL-2.0+
#> rpm -qi glibc Name : glibc Version : 2.22 Release : 8.2 Architecture: x86_64 Install Date: Fri 19 Feb 2016 08:36:11 AM EST Group : System/Libraries Size : 7009936 License : LGPL-2.1+ and SUSE-LGPL-2.1+-with-GCC-exception and GPL-2.0+ #> rpm -q --last glibc glibc-2.22-8.2.x86_64 Fri 19 Feb 2016 08:36:11 AM EST -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Feb 19, 2016 at 12:20:02PM -0500, Patrick Shanahan wrote:
* Charles Philip Chan <cpchan@bell.net> [02-19-16 12:17]:
Marcus Meissner <meissner@suse.de> writes:
It was released yesterday.
Hum... strange, just did a "zypper dup" and I don't see it:
Make sure the tumbleweed update repository is enabled and refreshed. http://download.opensuse.org/update/factory/
,----[ Output of "rpm -qi glibc" ] | Name : glibc | Version : 2.22 | Release : 6.2 | Architecture: x86_64 | Install Date: Thu Jan 28 03:28:45 2016 | Group : System/Libraries | Size : 6800264 | License : LGPL-2.1+ and SUSE-LGPL-2.1+-with-GCC-exception and GPL-2.0+
#> rpm -qi glibc Name : glibc Version : 2.22 Release : 8.2 Architecture: x86_64 Install Date: Fri 19 Feb 2016 08:36:11 AM EST Group : System/Libraries Size : 7009936 License : LGPL-2.1+ and SUSE-LGPL-2.1+-with-GCC-exception and GPL-2.0+
#> rpm -q --last glibc glibc-2.22-8.2.x86_64 Fri 19 Feb 2016 08:36:11 AM EST
-- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@suse.de> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Meissner <meissner@suse.de> writes: Hi Marcus:
Make sure the tumbleweed update repository is enabled and refreshed.
Thank you, that worked. Charles -- "On the Internet, no one knows you're using Windows NT" (Submitted by Ramiro Estrugo, restrugo@fateware.com)
participants (20)
-
Andrei Borzenkov -
Anton Aylward -
Bernhard Voelker -
Carlos E. R. -
Charles Philip Chan -
Christopher Myers -
Dave Plater -
Florian Gleixner -
Greg Freemyer -
gumb -
John Andersen -
Marcus Meissner -
Markus Egg -
MarkusGMX
-
Patrick Shanahan -
Peter Maffter -
Ruben Safir -
sdm -
Stevens -
Wolfgang Rosenauer