NEWS: insert advisories and fixed bugs for 2.39

Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

1 files changed, 133 insertions, 4 deletions

diff --git a/NEWS b/NEWS
index 7b983c8644..1b89f9c010 100644
--- a/NEWS
+++ b/NEWS
@@ -109,13 +109,142 @@ Security related changes:
 The following CVEs were fixed in this release, details of which can be
 found in the advisories directory of the release tarball:
 
-  [The release manager will add the list generated by
-  scripts/process-fixed-cves.sh just before the release.]
+  GLIBC-SA-2023-0002:
+    getaddrinfo: Stack read overflow in no-aaaa mode (CVE-2023-4527)
+
+  GLIBC-SA-2023-0003:
+    getaddrinfo: Potential use-after-free (CVE-2023-4806)
+
+  GLIBC-SA-2023-0004:
+    tunables: local privilege escalation through buffer overflow
+    (CVE-2023-4911)
+
+  GLIBC-SA-2024-0001:
+    syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6246)
+
+  GLIBC-SA-2024-0002:
+    syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6779)
+
+  GLIBC-SA-2024-0003:
+    syslog: Integer overflow in __vsyslog_internal (CVE-2023-6780)
 
 The following bugs are resolved with this release:
 
-  [The release manager will add the list generated by
-  scripts/list-fixed-bugs.py just before the release.]
+  [14522] localedata: fy_DE: LC_IDENTIFICATION data looks weird
+  [19305] libc: qsort() should return early if (nmemb <= 1)
+  [19479] localedata: gbm_IN: new Garhwali Locale
+  [19924] dynamic-link: TLS performance degradation after dlopen
+  [19956] localedata: ssy_ER: rename from aa_ER@saaho
+  [21719] libc: stdlib/msort : optimizing merge sort
+  [22526] localedata: th_TH  LC_COLLATE does not use copy "iso14651_t1"
+  [23012] localedata: el_GR: Greece now uses the 24h format for time
+  [23172] localedata: miq_NI: Provide actually abbreviated month names
+  [24006] localedata: Cyclic dependencies via copy in locales
+  [24013] localedata: am_pm definitions for es_ES
+  [24386] localedata: crh_RU: new locale
+  [24877] localedata: [Redundant Data] Remove redundant data between
+    en_NZ and en_AU
+  [25868] localedata: Incorrect trailing spaces in weekday names for
+    nn_NO
+  [26752] localedata: Please add the new locale zgh_MA
+  [27069] dynamic-link: Need a way to tell if a tunable is set by user
+  [27163] localedata: Error on test glk_IR with localedef
+  [27312] localedata: su_ID: new Sundanese locale
+  [27547] manual: "Summary of malloc-Related Functions" shows wrong
+    argument order for  `aligned_alloc` and `memalign`
+  [27574] libc: glibc should probably not define __WORDSIZE=64 for
+    __sparcv9
+  [27601] localedata: License information update in
+    localedata/locales/ast_ES
+  [28558] localedata: it_IT LC_MONETARY outdated p_cs_precedes and
+    n_cs_precedes
+  [28787] localedata: Add information for Occitan
+  [29039] dynamic-link: Corrupt DTV after reuse of a TLS module ID
+    following dlclose with unused TLS
+  [29486] localedata: New Zealand locales (en_NZ & mi_NZ) first day of
+    week should be Monday
+  [29504] localedata: Incorrect/misleading Time Format For ms_MY (AM/PM)
+  [29506] localedata: UTF-8 HANGUL SYLLABLE bugs
+  [30349] libc: Support returning a pidfd from posix_spawn()
+  [30412] localedata: d_t_fmt in id_ID uses %r placeholder but am_pm and
+    t_fmt_ampm are undefined
+  [30605] localedata: New locale for Komi language
+  [30649] localedata: [PATCH] Add transliteration of common emojis to
+    smileys
+  [30694] locale: The iconv program no longer tells the user which given
+    encoding name was wrong
+  [30709] nscd: nscd fails to build with cleanup handler if built with
+    -fexceptions
+  [30737] libc: fdopendir() is not robust - returns bogus DIR* instead
+    of flagging an error
+  [30740] build: [m68k] undefined reference to
+    `_wordcopy_fwd_dest_aligned'
+  [30745] libc: Slight bug in cache info codes for x86
+  [30750] network: Unaligned accesses in resolver
+  [30773] math: [m68k] busybox awk is broken (lshift.S related)
+  [30789] libc: [2.38 Regression] sem_open will fail on multithreaded
+    scenarios when semaphore file doesn't exist (O_CREAT)
+  [30800] nscd: Improper assert in prune_cache triggers if clock jumps
+    backwards
+  [30804] libc: F_GETLK, F_SETLK, and F_SETLKW value change for
+    powerpc64 with -D_FILE_OFFSET_BITS=64
+  [30842] network: Stack read overflow in getaddrinfo in no-aaaa mode
+    (CVE-2023-4527)
+  [30843] network: potential use-after-free in getcanonname
+    (CVE-2023-4806)
+  [30854] localedata: Update locale data to Unicode 15.1.0
+  [30884] network: Memory leak in getaddrinfo after fix for bug 30843
+    (CVE-2023-5156)
+  [30932] libc: Fortify Source has false-positives when too many files
+    are open
+  [30945] malloc: Core affinity setting incurs lock contentions between
+    threads
+  [30960] math: signed integer overflow in
+    glibc/sysdeps/s390/fpu/feenablxcpt.c
+  [30964] locale: Number grouping check mishandles multibyte thousands
+    separator
+  [30981] dynamic-link: dlclose does not properly implement force-first
+    handling
+  [30988] math: fesetexcept raises floating-point exception traps on
+    ppc, ppc64, ppc64le
+  [30989] math: fesetexcept raises floating-point exception traps on
+    i386
+  [30990] libc: fesetexceptflag raises floating-point exception traps on
+    i386, x86_64
+  [30998] math: fesetexceptflag clears too many floating-point exception
+    flags on alpha
+  [31019] manual: The documentation of feenableexcept is incomplete
+  [31022] math: feupdateenv (FE_DFL_ENV) crashes on riscv
+  [31035] libc: Library search path terminates on relative non-directory
+    name
+  [31042] libc: [s390x] .init and .fini padding
+  [31068] libc: sysdeps: sparc: invalid data access in memset due to
+    regression
+  [31078] manual: Code example in "Noncanonical Mode Example" has unused
+    'char *name;'
+  [31086] localedata: Errors in Tibetan, Dzongkha data
+  [31113] string: Wrong unwind information for rawmemchr on aarch64
+  [31151] libc: [RISC-V] missing support for profile/audit PLT setup
+  [31163] nss: getaddrinfo returns EAI_NONAME in oom situation
+  [31183] stdio: Wide stream buffer size reduced MB_LEN_MAX bytes after
+    bug 17522 fix
+  [31184] dynamic-link: FAIL: elf/tst-tlsgap
+  [31185] dynamic-link: Incorrect thread point access in
+    _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic
+  [31187] dynamic-link: Some CET tests fail with GCC 14
+  [31204] localedata: Fix decimal point and thousands separator for
+    uz_UZ
+  [31205] localedata: Inconsistent (mon_)grouping formats
+  [31218] dynamic-link: PLT rewrite overflows large displacement on x32
+  [31221] localedata: Add localedata for ISO code "tok" (Toki Pona)
+  [31230] dynamic-link: PLT rewrite failed without SELinux
+  [31239] localedata: anp_IN locale: abbreviated month names are the
+    same as the full month names
+  [31244] nptl: pthread_cancel hangs on sparc32
+  [31257] localedata: Sync with  CLDR: “Turkey” -> “Türkiye”
+  [31266] string: sparc: string/tst-memmove-overflow fails on 32-bit
+    sparcv9
+  [31276] libc: Wrong condition for heap allocation in qsort_r
 
 Version 2.38