-
Notifications
You must be signed in to change notification settings - Fork 0
Conversation
Easy approach does not work. After update, |
Hmm, with the last two glibc versions the Slackware guys did a full
rebuild (yes! everything...). I hope that this isn't a bad omen.
Just guessing into the blue -- maybe a ssl/libcrypto rebuild will
suffice, eventually it should be checked if these libs need to be build
with versionized symbols?
|
This is the link I mentioned today in the vc: https://abi-laboratory.pro/?view=timeline&l=glibc |
Remove configure option --enable-obsolete-nsl. libnsl is only built as shared library for backward compatibility and the NSS modules "nis" and "nisplus" are not built at all |
"sudo" and "su" happy again, "sshd" not yet. |
sshd: This took me many hours to find, because I suspected problems in the pam/nss/nis area, but in facts it is totally unrelated.
So our openssh version 7.9p1 is to old for glibc 2.33. |
So our openssh version 7.9p1 is to old for glibc 2.33.
So, disting a fresh openssh version 8.2 togehter with glibc 2.33 would
be a funny adventure for the very hardboiled ones -- I guess.
From the few things I've checked so far, there might also be issues
from Qt (more precise webkit/webengine, not Qt itself), requiring a
rebuild. Well, some more collateral damage is supposed to come too, I fear.
As for openssh, (AFAIK any) distro(s) use patches for openssh to use
versionized symbols in the libs created (and I guess they don't do it
just only because they can...). Therefore I propose to investigate ways
of robust building openssh a bit deeper before proceeding with the glibc
update. (BTW, didn't I guess right ;)
Meaning, check if we can hop to openssh 8.2 with good-old glibc, check,
check-again, and then prepare the glibc update.
|
Yeah, just upgrade openssh and the problem is gone. |
Sounds good (on behold...), just recognized that I've mangled openssh and openssl, so drop the versionizing thing. Anyway I would be careful.
…--
Thomas Kreitler - Information Retrieval
kreitler@molgen.mpg.de
49/30/8413 1702
|
Update procedure:
plus potentially anything which does dlopen (e.g. all httpd web servers) |
Could someone test this on a workstation ?
|
Test on workstation done. |
We should test whether the gdm lock screen needs a restart (becaus of pam plugins). Also test xlock (I dont think there is a problem) |
GDM? lightdm is used for some time now. What lock screen do you mean? And for locking, XScreenSaver is used to my knowledge ( (I recommend slock though. ;-)) |
From the [announcement][1]: > NEWS for version 2.29 > ==================== > > * The getcpu wrapper function has been added, which returns the > currently used CPU and NUMA node. This function is Linux-specific. > > * A new convenience target has been added for distribution maintainers > to build and install all locales as directories with files. The new > target is run by issuing the following command in your build tree: > 'make localedata/install-locale-files', with an optional DESTDIR > to set the install root if you wish to install into a non-default > configured location. > > * Optimized generic exp, exp2, log, log2, pow, sinf, cosf, sincosf and > tanf. > > * The reallocarray function is now declared under _DEFAULT_SOURCE, not > just for _GNU_SOURCE, to match BSD environments. > > * For powercp64le ABI, Transactional Lock Elision is now enabled iff > kernel indicates that it will abort the transaction prior to entering > the kernel (PPC_FEATURE2_HTM_NOSC on hwcap2). On older kernels the > transaction is suspended, and this caused some undefined side-effects > issues by aborting transactions manually. Glibc avoided it by abort > transactions manually on each syscall, but it lead to performance > issues on newer kernels where the HTM state is saved and restore > lazily (the state being saved even when the process actually does not > use HTM). > > * The functions posix_spawn_file_actions_addchdir_np and > posix_spawn_file_actions_addfchdir_np have been added, enabling > posix_spawn and posix_spawnp to run the new process in a different > directory. These functions are GNU extensions. The function > posix_spawn_file_actions_addchdir_np is similar to the Solaris > function of the same name. > > * The popen and system do not run atfork handlers anymore (BZ#17490). > Although it is a possible POSIX violation, the POSIX rationale in > pthread_atfork documentation regarding atfork handlers is to handle > inconsistent mutex state after a fork call in a multi-threaded > process. > In both popen and system there is no direct access to user-defined > mutexes. > > * Support for the C-SKY ABIV2 running on Linux has been added. This > port requires at least binutils-2.32, gcc-9.0, and linux-4.20. Two > ABIs are supported: > - C-SKY ABIV2 soft-float little-endian > - C-SKY ABIV2 hard-float little-endian > > * strftime's default formatting of a locale's alternative year (%Ey) > has been changed to zero-pad the year to a minimum of two digits, > like "%y". This improves the display of Japanese era years during > the first nine years of a new era, and is expected to be harmless > for all other locales (only Japanese locales regularly have > alternative year numbers less than 10). Zero-padding can be > overridden with the '_' or '-' flags (which are GNU extensions). > > * As a GNU extension, the '_' and '-' flags can now be applied to > "%EY" to control how the year number is formatted; they have the > same effect that they would on "%Ey". […] > Security related changes: > > CVE-2018-19591: A file descriptor leak in if_nametoindex can lead to a > denial of service due to resource exhaustion when processing > getaddrinfo calls with crafted host names. Reported by Guido Vranken. > > CVE-2019-6488: On x32, the size_t parameter may be passed in the lower > 32 bits of a 64-bit register with with non-zero upper 32 bit. When it > happened, accessing the 32-bit size_t value as the full 64-bit > register in the assembly string/memory functions would cause a buffer > overflow. > Reported by H.J. Lu. > > CVE-2016-10739: The getaddrinfo function could successfully parse IPv4 > addresses with arbitrary trailing characters, potentially leading to > data or command injection issues in applications. [1]: https://sourceware.org/ml/libc-announce/2019/msg00000.html
That is the oldest Linux kernel version, currently in MarIuX.
--enable-stack-protector=[yes|no|all|strong] Use -fstack-protector[-all|-strong] to detect glibc buffer overflows
Remove debug code from mee_check.
Remove --disable-profile, because that is the default.
Remove options, which no longer exist.
This code was formerly part of glibc, but is now standalone to be able to link against TI-RPC for IPv6 support.
This package contains rpcsvc proto.x files from glibc, which are missing in libtirpc. Additional it contains rpcgen, which is needed to create header files and sources from protocol files. This package is only needed, if glibc is installed without the deprecated sunrpc functionality and libtirpc should replace
Fix ./include/rpc_subs.h:19:10: fatal error: rpc/rpc.h: No such file or directory #include <rpc/rpc.h> ^~~~~~~~~~~ libtirpc provides the include files in another directory than glibc did. Add --with-libtirpc so that pkg_config is used to pick up the right include path: $ pkg-config --cflags libtirpc -I/usr/include/tirpc
This package contains the libnsl library. This library contains the public client interface for NIS(YP) and NIS+. This code was formerly part of glibc, but is now standalone to be able to link against TI-RPC for IPv6 support. The NIS(YP) functions are still maintained, the NIS+ part is deprecated and should not be used anymore.
Sorry, login screen. Yes, lightdm (user gdm, though).
Whatever, the screen lock. |
Tested login screen and lock screen. No problem. |
What is the current status? The usability tests passed, right? |
Status: I think we can risk it... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The bee update/install command to update all effected packages would be great.
Above, #2049 (comment) , still valid. |
Update with: