Leo Famulari writes: > On Sat, Oct 21, 2017 at 11:17:32PM +0200, Marius Bakke wrote: >> * gnu/packages/patches/glibc-CVE-2017-15670-15671.patch: New file. >> * gnu/local.mk (dist_patch_DATA): Register it. >> * gnu/packages/base.scm (glibc/linux)[replacement]: New field. >> (glibc/fixed): New variable. > > Thanks! > > Do you think we need to do anything special with the glibc packages > besides glibc/linux, such as glibc/hurd, glibc-2.24, etc? It probably should be picked to the earlier glibcs as well, IIRC the affected code was from 1997. I'll try this and amend the patch. Not sure about glibc/hurd, but I notice it does not have the other security patches that 'glibc-2.23' has. Picking those should be left to someone able to easily test it IMO. Side-note: I was really surprised that grafting glibc had become *this easy*, but it seems to work in my testing. I'll push this after patching the older glibc variants unless there are further comments.