From ${URL} : CVE-2016-4429 fix introduced a use-after-free vulnerability in clntudp_call of sunrpc. Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=21115 Upstream patch: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d42eed4a044e5e10dfb885cf9891c2518a72a491 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Fix for CVE-2016-4429 was released in vanilla glibc 2.24. Fix for CVE-2016-4429 was backported to Gentoo patchset (version 5) for glibc 2.23 on 2016-11-12: https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/src/patchsets/glibc/2.23/00_all_0062-CVE-2016-4429-sunrpc-Do-not-use-alloca-in-clntudp_ca.patch?revision=1.1&view=markup https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/src/patchsets/glibc/2.23/README.history?revision=1.6&view=markup https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7af5acbed1ecb03e2ec1da457505c1ddac4009c1 Fix for CVE-2017-12133 was released in vanilla glibc 2.26. Fix for CVE-2017-12133 was backported to Gentoo patchset (version 2) for glibc 2.25 on 2017-03-15: https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/src/patchsets/glibc/2.25/00_all_0007-sunrpc-Avoid-use-after-free-read-access-in-clntudp_c.patch?revision=1.1&view=markup https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo/src/patchsets/glibc/2.25/README.history?revision=1.2&view=markup https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe7688e141e68c4595a17baf4eba9f9f130d4e62
All vulnerable versions are masked. No further cleanup (toolchain package). Nothing to do for toolchain here anymore.
Downgraded. DNS spoofing. GLSA Vote: No
