Update NEWS for CVE-2019-19126

author: Florian Weimer <fweimer@redhat.com> 2019-11-22 13:45:03 +0100
committer: Florian Weimer <fweimer@redhat.com> 2019-11-22 13:45:03 +0100
commit: 5422ac2d08dec91d4eb61d20b5e4b121500a4b88 (patch)
tree: 7fbcae9f02a5c22521b1c59667f7cca2ae899886
parent: 2626b15e88e00b5e9c8cc3962cf4768a5344f07a (diff)
download: glibc-5422ac2d08dec91d4eb61d20b5e4b121500a4b88.tar.gz
glibc-5422ac2d08dec91d4eb61d20b5e4b121500a4b88.tar.xz
glibc-5422ac2d08dec91d4eb61d20b5e4b121500a4b88.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 4ad7c47d5f..6b3f4e0776 100644
--- a/NEWS
+++ b/NEWS
@@ -51,6 +51,12 @@ Security related changes:
   via proceed_next_node in posix/regexec.c leads to heap-based buffer
   over-read.  Reported by Hongxu Chen.
 
+  CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC
+  environment variable during program execution after a security
+  transition, allowing local attackers to restrict the possible mapping
+  addresses for loaded libraries and thus bypass ASLR for a setuid
+  program.  Reported by Marcin Kościelnicki.
+
 
 Version 2.29
author	Florian Weimer <fweimer@redhat.com>	2019-11-22 13:45:03 +0100
committer	Florian Weimer <fweimer@redhat.com>	2019-11-22 13:45:03 +0100
commit	5422ac2d08dec91d4eb61d20b5e4b121500a4b88 (patch)
tree	7fbcae9f02a5c22521b1c59667f7cca2ae899886
parent	2626b15e88e00b5e9c8cc3962cf4768a5344f07a (diff)
download	glibc-5422ac2d08dec91d4eb61d20b5e4b121500a4b88.tar.gz glibc-5422ac2d08dec91d4eb61d20b5e4b121500a4b88.tar.xz glibc-5422ac2d08dec91d4eb61d20b5e4b121500a4b88.zip