On 2021-06-04 21:51, Florian Weimer wrote: > * Aurelien Jarno: > > > On 2021-06-04 20:34, Florian Weimer wrote: > >> * Moritz Mühlenhoff: > >> > >> > Am Wed, Sep 09, 2020 at 12:30:44PM +0200 schrieb Aurelien Jarno: > >> >> control: forcemerge 967938 969926 > >> >> > >> >> Hi, > >> >> > >> >> On 2020-09-09 02:58, Bernd Zeimetz wrote: > >> >> > Source: glibc > >> >> > Version: 2.28-10 > >> >> > Severity: serious > >> >> > Tags: security upstream patch > >> >> > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > >> >> > > >> >> > Hi, > >> >> > > >> >> > we are running into the bug > >> >> > https://sourceware.org/bugzilla/show_bug.cgi?id=20338 > >> >> > causing systemd-sysusers to segfault. > >> >> > > >> >> > Patch is available in the linked bug report. > >> >> > >> >> This has already been reported, Florian will work on a backport, as it > >> >> is not straightforward to backport it to buster due to the usage of > >> >> private symbols. > >> > > >> > Florian, did you manage to backport this to 2.31? It would be nice to > >> > get this > >> > fixed for a Buster point release still. > >> > >> Do you mean 2.28? DJ Delorie did the backport, and Carlos O'Donell > >> implemented the GLIBC_PRIVATE ABI compatibility fix. I'll see if I > >> can get the patches to apply to Debian's 2.28 tree. > > > > Is it possible to commit those patches to the upstream 2.28 branch? If > > so, I guess we can simply pull the branch in the Debian package, fixing > > many other security bugs at the same time. > > I'm concerned about the GLIBC_PRIVATE internal ABI change, it causes > issues if the update is applied without a reboot: > > glibc: After upgrade, before reboot, systemd services using USER= do > not start (caused by fix for bug 1871397) > <https://bugzilla.redhat.com/show_bug.cgi?id=1927040>
That issue looks problematic for Debian, we usually do not require a (immediate) reboot after applying a security upgrade. -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net