azurelinux
azurelinux copied to clipboard
microsoft
[Azure Linux 3.0] Key Package Improvement
@mfrw - do we have plan to support new version glibc (2.39) in mariner 2.0? Recently community reported new vulnerability on glibc which was fixed in 2.39,check details below:
"IsActionable": true, "Solution": Customer are advised to refer to <A HREF="https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt" TARGET="_blank">GNU C Library Advisory</A>, <A HREF="https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0001;hb=HEAD" TARGET="_blank">GLIBC-SA-2024-0001</A>,<A HREF="https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0002;hb=HEAD" TARGET="_blank">GLIBC-SA-2024-0002</A>,<A HREF="https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2024-0003;hb=HEAD" TARGET="_blank">GLIBC-SA-2024-0003</A>.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
GLIBC-SA-2024-0003, "ScanResult": #table cols="3" **Package Installed_Version Required_Version** glibc 2.35-6.cm2.x86__64 2.39-0,
@frcai I am not the right person to comment. Tagging a few folks, who should be able to though: /cc @eric-desrochers @jslobodzian @christopherco
@mfrw - do we have plan to support new version glibc (2.39) in mariner 2.0? Recently community reported new vulnerability on glibc which was fixed in 2.39,check details below:
"IsActionable": true, "Solution": Customer are advised to refer to GNU C Library Advisory, GLIBC-SA-2024-0001,GLIBC-SA-2024-0002,GLIBC-SA-2024-0003.
Patch: Following are links for downloading patches to fix the vulnerabilities:
GLIBC-SA-2024-0003, "ScanResult": #table cols="3" Package Installed_Version Required_Version glibc 2.35-6.cm2.x86__64 2.39-0,
We have already upgraded to glibc 2.38 in version 3.0 (see #6689), and we will likely stick with it for the 3.0 release. For the linked vulnerabilities, we will likely take the patches to 2.38.
In Mariner 2.0, we most likely will stick with glibc 2.35 and also take patches.
