Hi, The following vulnerability was published for glibc. CVE-2026-4046[0]: | The iconv() function in the GNU C Library versions 2.43 and earlier | may crash due to an assertion failure when converting inputs from | the IBM1390 or IBM1399 character sets, which may be used to remotely | crash an application. This vulnerability can be trivially | mitigated by removing the IBM1390 and IBM1399 character sets from | systems that do not need them. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-4046 https://www.cve.org/CVERecord?id=CVE-2026-4046 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=33980 [2] https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1132499@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 19 Apr 2026 15:41:41 +0200
Source: glibc
Architecture: source
Version: 2.42-15
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Closes: 1132499
Changes:
glibc (2.42-15) unstable; urgency=medium
.
[ Aurelien Jarno ]
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix random failure of tst-link-map-contiguous-ldso.
- Fix tst-rseq with Linux 7.0.
- Fix a possible crash due to an assertion failure when converting inputs
from the IBM139x character sets (CVE-2026-4046). Closes: #1132499.
.
[ Samuel Thibault ]
* debian/patches/hurd-i386/git-MSG_EXAMINE.diff: alterations to MSG_EXAMINE
interface.
* debian/patches/hurd-i386/git-interrupt-EINTR.diff: Interrupted RPC returning
EINTR when server has actually changed state.
* debian/patches/hurd-i386/git-SEM_FAILED.diff: Fix SEM_FAILED type.
* debian/patches/hurd-i386/git-tst-fix.diff: Fix test build.
Checksums-Sha1:
2e0a8ae73f15010201466614af0155145b154cda 8576 glibc_2.42-15.dsc
1dadea822bc7f030cffeaf037664b5bb2af8a757 439876 glibc_2.42-15.debian.tar.xz
c1348e7cb14200623281b06d67101621a31a0ac0 9523 glibc_2.42-15_source.buildinfo
Checksums-Sha256:
f6383657608ce3465b2ea97fc6ba0749608f64045d67a1940b901f241d5065bc 8576 glibc_2.42-15.dsc
4407a21be5854ca5f1f17c550a6b8586ef134f6eaaf0e6bc078435b468108c61 439876 glibc_2.42-15.debian.tar.xz
604a15ed3c7977a32b235df2d0c276c2e950c074e5c068a3fe715dc77c000a06 9523 glibc_2.42-15_source.buildinfo
Files:
1667c3f8e1725a77f6babda430c2ef84 8576 libs required glibc_2.42-15.dsc
751636bc4f5cb97711bc5057ac77c178 439876 libs required glibc_2.42-15.debian.tar.xz
6ea2831c02ff4203e76c77a0d7f5ff49 9523 libs required glibc_2.42-15_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmnk3DgACgkQE4jA+Jno
M2vs6w/8ChiWy7M+iFq2vddZidhjj4PLY9AtkFT7yB54MlWHSzNZGEAPKoQiAgRA
FyYH2omHZ1NXwM1KIeKK/6+YDehrDtxap2BRlw9QpeYBeHJ+hIB/WnUNkz2b96JX
OXf6NdhqeM3BtscIN5mv4QYrn2UY7ox7+axaJQ1tndxb0zQEwBmYXIPlCb0/FX34
OQcE336gXr2+9+r4Y9/KC24DiN1btSe8jVfN2b+bNTAEMyO8gy6MPnKY/ROs56DD
LRhcp0rfeS3B1C98TBxA1k+fqWFWTPsnBopFYZ7eubWjVC/Sm9xXvm2Fy1D3MUsm
eAfCCwpsltjMD2F2hYbB09OwkD4hAH+7LYaiWRBudHsXQVei2/Hv/e1dAzTH/Ld9
DqCOkKb5G8epydKffihTLO5A4SrDgim2zJKtpUT2cCH7Yy7xZGs+kBaFrKND+4k0
bLABfntGjZWdUkDbvacXcGCYuVX0XALgdNDKcjKvwcJXmxcqVUpURoGYOiDcneY6
aTjiNI5n9qKbLoa4dHZ2SRmA0rh9WGBRpK5iAvzKHe5jnDS+JmX/cEpbl9o/VWqg
11TqrfmcEtTxv3qrlEnAxvIkk8mNcI4CVdh0WjGN6pfg+Iu/u+0l1Rd65esDpu2z
GzsIVDZQiGAHH3bshaHBzqMTIj4TIFB7SxeO7VCExaFdlK7zuaE=
=nS6y
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1132499@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 27 Apr 2026 22:14:33 +0200
Source: glibc
Architecture: source
Version: 2.36-9+deb12u14
Distribution: bookworm
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Closes: 1125678 1125748 1126266 1131435 1131887 1132499
Changes:
glibc (2.36-9+deb12u14) bookworm; urgency=medium
.
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix a performance bottleneck with the Address Sanitizer (ASAN) on 32-bit
arm.
- Fix _dl_find_object when ld.so has LOAD segment gaps, causing wrong
backtrace unwinding. This affects at least arm64.
- Add GLIBC_ABI_DT_X86_64_PLT symbol version on amd64.
- Fix typo in wmemset ifunc selector that caused AVX2/AVX512 paths to be
skipped.
- Fix POWER optimized rawmemchr function on ppc64el.
- Optimize trylock for high cache contention workloads.
- Fix and integer overflow in _int_memalign leading to heap corruption
(CVE-2026-0861). Closes: #1125678.
- Fix stack contents leak in getnetbyaddr (CVE-2026-0915). Closes:
#1125748.
- Fix bug in wordexp, which could return uninitialized memory when using
WRDE_REUSE together with WRDE_APPEND (CVE-2025-15281). Closes: #1126266.
- Fix invalid pointer arithmetic in ANSI_X3.110 iconv module
- Fix a typo preventing new tst-wordexp-reuse-mem to run
- Fix incorrect handling of DNS responses in gethostbyaddr and
gethostbyaddr_r (CVE-2026-4437). Closes: #1131435.
- Fix invalid DNS hostnames returned by gethostbyaddr and
gethostbyaddr_r (CVE-2026-4438). Closes: #1131887.
- Fix random failure of tst-link-map-contiguous-ldso.
- Fix a possible crash due to an assertion failure when converting
inputs from the IBM139x character sets (CVE-2026-4046). Closes:
#1132499.
* d/p/amd64/local-revert-x86-64-add-GLIBC_ABI_DT_X86_64_PLT-version.diff:
revert addition of the GLIBC_ABI_DT_X86_64_PLT symbol version used as ABI
flag, as the dpkg-shlibdeps version in bookworm is not able to handle it
(see #1122107).
Checksums-Sha1:
702906fdb0f1b37205a2000b6715025fed8018cb 9765 glibc_2.36-9+deb12u14.dsc
42404623ac3ac7cb1bcce7dc7441ef3782c13871 918488 glibc_2.36-9+deb12u14.debian.tar.xz
b3f4b4290dd4a504e3a062abdbf08444fe6abec2 10292 glibc_2.36-9+deb12u14_source.buildinfo
Checksums-Sha256:
cfe1f0b8dc1fa211ce5a45b3725cc38b29f88667f1140ebdca6de35cf9c6f1fd 9765 glibc_2.36-9+deb12u14.dsc
cf4ac9cd98185452cae3ef34e2e4ee12753e3d93fd0c62c61396d4a47eec902f 918488 glibc_2.36-9+deb12u14.debian.tar.xz
6b273cd4e05adbfbb30e1f151a4d11eced4f2954b43d0b395ee1580b83c443c3 10292 glibc_2.36-9+deb12u14_source.buildinfo
Files:
001a68ae63559b253dcb12f32d5657a4 9765 libs required glibc_2.36-9+deb12u14.dsc
caad7ed8eedd10944370b3d01d08e3dd 918488 libs required glibc_2.36-9+deb12u14.debian.tar.xz
187b0ea5e3a5a99bfb18b57dfce1c44a 10292 libs required glibc_2.36-9+deb12u14_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmn3cHQACgkQE4jA+Jno
M2uPHQ/+J0rFsM+yxJir00Nvl258vlWnQEnorwXo8mcDMP74bB9n1zcQxsVo8bkV
7CiQ4vebLImGfAOSK4Dx8rlMP1XAF/w1+fxDMNfh8QWWtsXOHCN3B+u9lorKT+Nb
HZl99x8fpZsBNipTk2XkVCKUSagUCKnIL7rMQv9aCGo3qfB3RU2rCOC5kdWse+fz
USnpSBGFYzy8tr4RmDRfWJrUHAABTTFlzzZppcIvc084eEZ2JYBqKWNy0+gDYLOZ
2ZcahSnyIq2AJVdnsFP3HS/IFW92VjYw43QGow3TwhgLtvdxjZB0GHZS6t0s+FBH
GkOH9Vtsa/r0yjp4XocdXmLqAgSELtGT+KsYcN9nHtN382kfoEWHJQdRj1KEIsxk
aG37ym+LULEjoqAm3jj+OXxkYY+k2yhJwpycr5zuX6zAnppREphNOLBaZj44hWu9
l4i4m35TyVJUHDaVxofeAmbRiCm6DJYDLnZeTLikOSOzKhxwPDNdDtJvpLrFTYJM
vwMtqywWdcCP53vD8CDU7wQDtyA3wXoMtoTFwZ5Fwg3piTjMYdD8C7LKj6ZTxsS+
cHT54B6TBfvcNH4acilA5JlKHci4b87Xep0XL8a2NzkXulJeqb5ilUS5u9cRVbcv
33z7E61IwKCX1uIjkjS4oRDN9NuWiV9/HGTVC1KWkXkR8uMElD0=
=ymkd
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1132499@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 27 Apr 2026 22:09:22 +0200
Source: glibc
Architecture: source
Version: 2.41-12+deb13u3
Distribution: trixie
Urgency: medium
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Closes: 1131435 1131887 1132499
Changes:
glibc (2.41-12+deb13u3) trixie; urgency=medium
.
* debian/control.in/libc: ensure that libdpkg-perl is fixed wrt symbol
versions used as ABI flag.
* Stop reverting the following patches now that dpkg-shlibdeps in trixie
supports symbol versions used as ABI flag (see #1122107):
- local-revert-x86-64-add-GLIBC_ABI_DT_X86_64_PLT-version.diff
- local-revert-x86-64-add-GLIBC_ABI_GNU2_TLS-version.diff
- local-revert-i386-add-GLIBC_ABI_GNU2_TLS-version.diff
- local-revert-i386-add-GLIBC_ABI_GNU_TLS-version.diff
* debian/symbols.wildcards: define the GLIBC_ABI_DT_X86_64_PLT,
GLIBC_ABI_GNU_TLS and GLIBC_ABI_GNU2_TLS symbol versions.
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix a null pointer dereference in the nss_database_check_reload_and_get
function.
- Fix tst-preadvwritev2 and tst-preadvwritev64v2 with recent kernels.
- Fix invalid pointer arithmetic in ANSI_X3.110 iconv module
- Fix a typo preventing new tst-wordexp-reuse-mem to run
- Fix incorrect handling of DNS responses in gethostbyaddr and
gethostbyaddr_r (CVE-2026-4437). Closes: #1131435.
- Fix invalid DNS hostnames returned by gethostbyaddr and
gethostbyaddr_r (CVE-2026-4438). Closes: #1131887.
- Fix random failure of tst-link-map-contiguous-ldso.
- Fix tst-rseq with Linux 7.0.
- Fix a possible crash due to an assertion failure when converting
inputs from the IBM139x character sets (CVE-2026-4046). Closes:
#1132499.
Checksums-Sha1:
ea65510b2f94dade85157f9935070bdea2a46b1c 7576 glibc_2.41-12+deb13u3.dsc
b7de3bbb5e0b8e99dfd9dabd2c9ddfead6c99b64 494644 glibc_2.41-12+deb13u3.debian.tar.xz
86e42ce9214eb2ca34b6341687198f1953468509 9686 glibc_2.41-12+deb13u3_source.buildinfo
Checksums-Sha256:
aa1ab10010fcf169454a5c6a123094a3997392922593d86a3a5adc180a07ca40 7576 glibc_2.41-12+deb13u3.dsc
de7d715bf7e559b78baebac4115122641842f65faf0a5080a55954877a55cebe 494644 glibc_2.41-12+deb13u3.debian.tar.xz
ac5bce2015f98656dd23ef420841cee53a2ae07babb416856bf83519d49c313e 9686 glibc_2.41-12+deb13u3_source.buildinfo
Files:
904c7a7019140b995c1dd2f832b82f8f 7576 libs required glibc_2.41-12+deb13u3.dsc
f14dfca7a209d2c22f24a7532b3f5465 494644 libs required glibc_2.41-12+deb13u3.debian.tar.xz
2d8cddc2215642a9a3ef862c99382330 9686 libs required glibc_2.41-12+deb13u3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAmn3b8IACgkQE4jA+Jno
M2trMBAAlqYXrU31uVFG21IZ9R/Wf7K7MN5V5jOSd261M1I7HuLg+i2MLpa1hHwe
yHF0OrLOnsL0SizXXuuPa7jSjl9taQvGDfvdxNrwqW2bMX3XuVyIxOn6Jvd21X94
vIzsNOuhuxDZB/1YtN05NR9kuI+G2+X8nPDYHXGVjc2d2IKSgKsjU8OCmxsdZ2Qn
wd3C2w9VWzp9hiEzQe/A8Mb4X9mlZ/HwzfUAlUZrd9rTjFSD2mV9zCRDTFIP0FPc
d2T+VpJYpRC7pRAhfCfhBLjNZZibBpILlhedY+HKUohhNRz4xZh4EQ9LPK2kIi1H
48ZL+sXELCMxVXZmugMHS8Pla7F7NXU1jW0cH45UbaJcWAyp0dXXfzmVR0iEUdrQ
F3LCmkUIPqlRKtqkS5jmHGazJ7hTu2Fg1LatNh6uRTxxwFTRVCNWTPpaSddYI/rB
w0RXltPzII6bFV18DXwl/QqhoMPJvrnENnrXUCFDwt/2oX2Rl9c5l6GNSqVb7NpW
PKuoquWMdR+iROiSTaD7Hw2MtaqVSd8i7MtSymI0OIRLv5ebDgpNrH9zZPkXIbcz
KXij3HvAudvJZIOlaSJmGT7JqOTmgv5TLhgcd2juM+Gq0BmVP1W5wJPk14Jzopdr
ecgArsh9i2ZiglTMXshKKeGnwpAr5J+WQmjL1kScgjLxp73ZCz4=
=sxsV
-----END PGP SIGNATURE-----