Upgrade glibc from 2.42 to 2.43 and fix + update other dev packages

packages/conntrack-tools/0001-disable-RPC-helper.patch

@@ -1,6 +1,6 @@
-From 5a76b5fa1b631191adbec7919f58e067dd6c2896 Mon Sep 17 00:00:00 2001
+From cb657871f2dd2d3196fb05fe8fdd4b77cfa9bac6 Mon Sep 17 00:00:00 2001
 From: Ben Cressey <bcressey@amazon.com>
-Date: Tue, 19 Mar 2024 14:17:52 +0000
+Date: Wed, 11 Mar 2026 00:02:05 +0000
 Subject: [PATCH] disable RPC helper
 
 We do not intend to run the daemon to synchronize firewall rules or
@@ -10,13 +10,17 @@ The RPC helper would require us to package libtirpc, which we want
 to avoid for now since we have no other need for it.
 
 Signed-off-by: Ben Cressey <bcressey@amazon.com>
+[KCSesh:
+  - rebased to 1.4.9]
+Signed-off-by: Kyle Sessions <kssessio@amazon.com>
+
 ---
  configure.ac            | 2 --
  src/helpers/Makefile.am | 5 -----
  2 files changed, 7 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index da852b1..973a9d5 100644
+index a72963c..eb032a7 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -49,8 +49,6 @@ AC_ARG_ENABLE([systemd],
@@ -27,7 +31,7 @@ index da852b1..973a9d5 100644
 -
  PKG_CHECK_MODULES([LIBNFNETLINK], [libnfnetlink >= 1.0.1])
  PKG_CHECK_MODULES([LIBMNL], [libmnl >= 1.0.3])
- PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.0.9])
+ PKG_CHECK_MODULES([LIBNETFILTER_CONNTRACK], [libnetfilter_conntrack >= 1.1.1])
 diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
 index e458ab4..47f1d46 100644
 --- a/src/helpers/Makefile.am
@@ -51,6 +55,4 @@ index e458ab4..47f1d46 100644
  ct_helper_tftp_la_SOURCES = tftp.c
  ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS)
  ct_helper_tftp_la_CFLAGS = $(HELPER_CFLAGS)
--- 
-2.40.1
 

packages/conntrack-tools/Cargo.toml

@@ -12,12 +12,12 @@ path = "../packages.rs"
 releases-url = "https://www.netfilter.org/projects/conntrack-tools/files"
 
 [[package.metadata.build-package.external-files]]
-url = "https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-1.4.8.tar.xz"
-sha512 = "95d8f6f068c1342ad7e767537e722272a4f5bd8b46b952713ade053a1043aa9ababbe5ce658ede9c77b6de5221b97ad8833777caffd69b67dd70a99f2b45afdf"
+url = "https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-1.4.9.tar.xz"
+sha512 = "1cef49d6f1995915a5c6b811fefc02bef92c9881b6eba8d6f85071f4f129ec139dadfd5546fa02d3ed42888f4d6f46ffc0cc13da30de1baa28a795b95041c035"
 
 [[package.metadata.build-package.external-files]]
-url = "https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-1.4.8.tar.xz.sig"
-sha512 = "8cd229d2e980ab1788e90fc8f53827fe1e4b21801cad6cddf6a9ff537501c40c52242cc964005b2889ad0a4548c772304db8696d4644611ecf9f091aca5c14ee"
+url = "https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-1.4.9.tar.xz.sig"
+sha512 = "8fe0e78d1d76924e3897924af32b3cae5fcb5d42661ea728ed00bf6539c6319720844a3c378fb304ca78da7d31d92361d08640f7f00064752ce0e41e9bd0490a"
 
 [build-dependencies]
 glibc = { path = "../glibc" }

packages/conntrack-tools/conntrack-tools.spec

@@ -1,5 +1,5 @@
 Name: %{_cross_os}conntrack-tools
-Version: 1.4.8
+Version: 1.4.9
 Release: 1%{?dist}
 Epoch: 1
 Summary: Tools for managing Linux kernel connection tracking
@@ -8,7 +8,7 @@ License: GPL-2.0-or-later AND GPL-2.0-only
 URL: http://conntrack-tools.netfilter.org/
 Source0: https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-%{version}.tar.xz
 Source1: https://www.netfilter.org/projects/conntrack-tools/files/conntrack-tools-%{version}.tar.xz.sig
-Source2: gpgkey-37D964ACC04981C75500FB9BD55D978A8A1420E4.asc
+Source2: gpgkey-8C5F7146A1757A65E2422A94D70D1A666ACF2B21.asc
 Patch1: 0001-disable-RPC-helper.patch
 
 BuildRequires: %{_cross_os}glibc-devel

packages/conntrack-tools/gpgkey-8C5F7146A1757A65E2422A94D70D1A666ACF2B21.asc

@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGcLlIQBEADH+pWx2d5XgY2JCOHTVaOpbNlNfp1k9Ul0W5zaZ7EFHIGSj06E
+o3+OM0eI6+d51PnqwRE+WbV4T3ooGnfgXN4fmKgq2TwkxlhKeFSzNGMuzzuoEwD+
+2cvSF9VIrwif1o9oa9KMNfKTY/qjuWZS0QWZ08thPAf/tWpoaA3gaqYQUshj5G3w
+nTMdYlHUj7wkZCMg63tDygAe/7fDT3zurKCMbFoyiyQkp7V1SLxZpvuyuyPH6HtQ
+P5xcbXsp5ots0BgN+BplMX89DrspxJXqi7AsTf4QnC78KbchMJJxLKZQS759dQHF
+qHUTb3YdlxXFou6Si5LiBzvmqBRFj6m/WV1a8mDy5fPDkOLoTCUFHLmgvYHPJdtK
+5EqNkwYAbSnZKe9aSeVa4XhaZqyyQb9vIsKyOnwdJ/l222J95qHQapZSLcRdqgQz
+ZgxuEdOHacEaJ1IJ21CE8EtJfFA5DMZtkZNIGF3OFlXhw7YxJoPgsodtlVspQsfX
+u2FGP9yg0fd4zLgHnotKqfJQ9ZjMB6bbJUd6Au9jv0SiM+kVGeVfyaaX7TDeQ3TT
+/e44uFvkHkbYFQPcqsTalxtre6v7pMG2iu2mbkhQOC7qbL5MKMSdA93w/lF7w20b
+cwyDavEoKk9vgDjSkVjaffvdy4cESa5JY4lM4ZmzoujnAZMwbzQeGcBtqQARAQAB
+tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC
+VAQTAQoAPhYhBIxfcUahdXpl4kIqlNcNGmZqzyshBQJnC5SEAhsDBQkHhM4ABQsJ
+CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENcNGmZqzyshRE4P/AknD3DAWuCT7x7L
+LFIUCkfl7WUou9zMQKy62JRK/+/lNyG1dkmvBu7XWLl/+IRv1uIb25I4xwaze6GF
+8yhZDNXZLhUjComr864fMEdKNdXInAClLRNY0InkFmHw/SizvwDld4PgsLzoS+qL
+5JY4FBlYEnd4wlIwH/w3gPycmdmQNVOjeWJhDrYKGLnjolpGRQPYRME4kjasWPbK
+AWG/lpINQEB1DgtK8e6kcbUA8wSU6MMEsJjPY0o7lr9NvPfRpPXq34LjoFUXk3Hi
+Bt8OuVVMo+wTmlZWkXdknFKS4IPVxUA53oJOVMFW8divmF/l676KBogSnczoX4vR
+VW8sgDEKqb0NicKWJ2Fou+/KueY5OXsO8aZrZtXOsXIAMberdrNDYhyTUSYF8mZF
+RdL6Jcm5GbQB/zOQElgzMwPQq5AD7SkziMzGOusWjqGmu9qphed/FimVbyRhMl5B
+uDvGHthhy1KlPkqVcddN6i3/Kd/AMqXAuWMZH9FXJkUUWe+VAyeNHfEuBtSK2rqE
+zf8TYGg5Gz+oNspWuqEyWUwoH7eQkRx2GIbwu2rwcIzrh8L0rsyu+6FNNHnQfnNq
+ytbE888dxKkXeJ5T09Pp/hPwkNM8X8ZLcTTsAknrvqLNp2As49dP6iJwysfYLf/v
+3Cyvz23JNeSQiTcC4YfKLs4LtCFkuQINBGcLlIQBEADZjvn7+u5Zbt5zmYfZnE2y
+mtDE0+nDY6RFVNzAyJmze6Sk3Pz/rOk1WAWJ9atVNF010JX4dhxnay3mwDnVltFn
+M+Co/aDpURzgEcqt5kc2/YYggfPZiXMOcTSJ/N3eS/yCajjUmlSyp08H8J01WgiW
+LheciKgzDkl4Egt7Gxi8f8hHIQIUBFlBvJ5vVk8mxX6vfJhaxxCkRrEoHwh6uijD
+Z/TboVtePWSvipJT12ahcg6ER3cor7fY/YXwNJa+LerH1xHyXnc4zTtn9GfK9rEI
+ZsN8pGA5MxBfCM5IIopNSnuPk5qQ/+Li/4X4G5KFcWVeoCNzPa6rOaNYJQLkhY7K
+xsqINRJFF6ZUk0J+Hmv70OrdYgZE29q96s4SvlS+xlpb2WvQxqvG7TQIjoyiqmtP
+t80U18jyQHTEDF/hQQIZmhyaMpQKxB3c7+YWge679GhoyleDtYn6J0hhNqZZZkg2
+0zt3sSHrJS4A4eRqlZkFt9CuSb3nCp2/O9XNLrc0SxwRd+BzmIEVgXJdfAxg/ks1
+yo9f//uAGrXAAcKDSR0xIejd/5g93yclpMjMCyc6NceNz5ptQ5M4qDvVTEsRu0Xm
+h/VkQ7ct0fN4E54xCNAg5Bu5tJ13La7A3JgQmDEp764lla+5DWEPbUovVlGvArNM
+QpsuPXxfu4oSJcgDUdmjKwARAQABiQI8BBgBCgAmFiEEjF9xRqF1emXiQiqU1w0a
+ZmrPKyEFAmcLlIQCGwwFCQeEzgAACgkQ1w0aZmrPKyGT7g/+KmIQHZgrWonDo3rj
+CNBISgNDtHJ17wUcClyhiEmem7f3+X4n8u/DUOFXUM3KbEZNVb2hB0ReR/qsQkCf
+DHcynGKaJQqYY4q9YBPszT+4Lcx+Bzgc89/6uhiuR5qsFrYd19+ckq4K4Z1GWV/q
+ZZvYESESKpoo4YXQ6f9/9hXLJEM6/VLyEAwdeE220lQLA8eXEFDORdZ0tQACTUq3
+m7hHAXnjNDdRz7alpnCbgB7U5ZPiucpNNnIGz/fdur5bctbiOOlMiOLf8TsZiGOo
+F5XEjGwZ1ZgdLBPrCiUxO0Kw6UUTYrHgjS2XK/0zafZaxaWlF8/ycF3PnNVQvFJg
+EZPTSx7H6Bs+R374YlMJfesLb7tWCiHr/Z31adW29/13jQFSXfoTcTpZL+vLN33r
+rb7+70EdeBPHLwlU1yu2gGSpFiZdp/KT6IbF7Ob8K7Bt+qBUh/fI3oS7cy66YLVo
++je1PEloSPSZUxGiKRC/wtX6FSXkmbPE6tbKmGsPNZaLwxZPMLktXhYVnhFaHSUL
+HwjwYLEBmeOqGYFs9wFNyqweK7jcY5CScX4Crt/aRw6796OWbnwB6CAB0XT0z5XB
+9Vov9Sy4C6h1QvfouzdQpbDtf1YLWJmcM8VsbBCTnBNvrzkTqFc4DIeZRoQi4ev9
+1Uy/eoSI3DKeFqA/BJTz/pv7+og=
+=d7nb
+-----END PGP PUBLIC KEY BLOCK-----

packages/coreutils/Cargo.toml

@@ -12,12 +12,12 @@ path = "../packages.rs"
 releases-url = "https://ftp.gnu.org/gnu/coreutils"
 
 [[package.metadata.build-package.external-files]]
-url = "https://ftp.gnu.org/gnu/coreutils/coreutils-9.9.tar.xz"
-sha512 = "e7b0e59f7732d2c098ea4934014f470248bd5c4764210e9200a698010a8e3b95bbb26e543f0cd73ed5a4b8e1f8cda932c73f39954d68175e4deaa47526610c65"
+url = "https://ftp.gnu.org/gnu/coreutils/coreutils-9.10.tar.xz"
+sha512 = "976ccfb8b906273a687ec330938a25ab72fb130988ca2fcad4fb6e12f4b621eb76b6e9ee091ad060361e95a8da26835b2484fffd3b5f9c7cdb100c1eb7b7d676"
 
 [[package.metadata.build-package.external-files]]
-url = "https://ftp.gnu.org/gnu/coreutils/coreutils-9.9.tar.xz.sig"
-sha512 = "0a3dfdfa6b4234e2e1d42142269f959bdf3cf8f6605a50270a27eff84dd22588f182121f7dd3eeb04be45f5109d02690215065b3d3b43882874d0e165a1435d0"
+url = "https://ftp.gnu.org/gnu/coreutils/coreutils-9.10.tar.xz.sig"
+sha512 = "83ec7f4a313ed425bf362bf3512042f9562df20daa03465090025a54e85f98c301b7be770340b08193bdf78b413a3bd87b218b71234443e756472205ce840c67"
 
 [build-dependencies]
 glibc = { path = "../glibc" }

packages/coreutils/coreutils.spec

@@ -1,5 +1,5 @@
 Name: %{_cross_os}coreutils
-Version: 9.9
+Version: 9.10
 Release: 1%{?dist}
 Summary: A set of basic GNU tools
 License: GPL-3.0-or-later

packages/glibc/0001-Replace-advisories-directory-with-pointer-file.patch → packages/glibc/0001-Replace-advisories-directory-with-file-ADVISORIES.patch

@@ -1,7 +1,7 @@
-From bdea6c37197a3c9bd976911cce5f580dea1c28dd Mon Sep 17 00:00:00 2001
+From f02515d8a6963158e0e4be8034b96c658e1b9a32 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20K=2E=20H=C3=BCttel?= <dilfridge@gentoo.org>
-Date: Mon, 28 Jul 2025 20:35:38 +0200
-Subject: [PATCH] Replace advisories directory with pointer file
+Date: Fri, 23 Jan 2026 23:59:36 +0100
+Subject: [PATCH] Replace advisories directory with file ADVISORIES
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -27,8 +27,11 @@ Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
  advisories/GLIBC-SA-2025-0003 | 30 --------------
  advisories/GLIBC-SA-2025-0004 | 29 -------------
  advisories/GLIBC-SA-2025-0005 | 14 -------
+ advisories/GLIBC-SA-2026-0001 | 41 -------------------
+ advisories/GLIBC-SA-2026-0002 | 36 ----------------
+ advisories/GLIBC-SA-2026-0003 | 36 ----------------
  advisories/README             | 77 -----------------------------------
- 20 files changed, 2 insertions(+), 470 deletions(-)
+ 23 files changed, 2 insertions(+), 583 deletions(-)
  create mode 100644 ADVISORIES
  delete mode 100644 advisories/GLIBC-SA-2023-0001
  delete mode 100644 advisories/GLIBC-SA-2023-0002
@@ -48,6 +51,9 @@ Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
  delete mode 100644 advisories/GLIBC-SA-2025-0003
  delete mode 100644 advisories/GLIBC-SA-2025-0004
  delete mode 100644 advisories/GLIBC-SA-2025-0005
+ delete mode 100644 advisories/GLIBC-SA-2026-0001
+ delete mode 100644 advisories/GLIBC-SA-2026-0002
+ delete mode 100644 advisories/GLIBC-SA-2026-0003
  delete mode 100644 advisories/README
 
 diff --git a/ADVISORIES b/ADVISORIES
@@ -559,6 +565,137 @@ index 8bcccc59a5..0000000000
 -Public-Date: 2025-07-22
 -Vulnerable-Commit: 963d8d782fc98fb6dc3a66f0068795f9920c269d (2.3.3-1596)
 -Fix-Commit: 7ea06e994093fa0bcca0d0ee2c1db271d8d7885d (2.42)
+diff --git a/advisories/GLIBC-SA-2026-0001 b/advisories/GLIBC-SA-2026-0001
+deleted file mode 100644
+index 3e0ee3b3f4..0000000000
+--- a/advisories/GLIBC-SA-2026-0001
++++ /dev/null
+@@ -1,41 +0,0 @@
+-Integer overflow in memalign leads to heap corruption
+-
+-Passing too large an alignment to the memalign suite of functions
+-(memalign, posix_memalign, aligned_alloc) in the GNU C Library version
+-2.30 to 2.42 may result in an integer overflow, which could consequently
+-result in a heap corruption.
+-
+-Note that the attacker must have control over both, the size as well as
+-the alignment arguments of the memalign function to be able to exploit
+-this.  The size parameter must be close enough to PTRDIFF_MAX so as to
+-overflow size_t along with the large alignment argument.  This limits
+-the malicious inputs for the alignment for memalign to the range [1<<62
+-+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc.
+-
+-Typically the alignment argument passed to such functions is a known
+-constrained quantity (e.g. page size, block size, struct sizes) and is
+-not attacker controlled, because of which this may not be easily
+-exploitable in practice.  An application bug could potentially result in
+-the input alignment being too large, e.g. due to a different buffer
+-overflow or integer overflow in the application or its dependent
+-libraries, but that is again an uncommon usage pattern given typical
+-sources of alignments.
+-
+-CVE-Id: CVE-2026-0861
+-Public-Date: 2026-01-14
+-Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 (2.30)
+-Fix-Commit: c9188d333717d3ceb7e3020011651f424f749f93 (2.43)
+-Fix-Commit: 7f19ef14fbce095d4c77395e258320cad2ea2b28 (2.30-153)
+-Fix-Commit: f18446d7b4a423090ee5e328c36b3c2a0f26041c (2.31-166)
+-Fix-Commit: 8aef9e7a7af9565c0324b4ecb38b30dfa3782fd8 (2.32-151)
+-Fix-Commit: 011293b4fd748cdd6f95874ba2b6aba9a3df8bff (2.33-275)
+-Fix-Commit: 2c77e52108a58956c9f674b36e1f59a4e3fdcf4d (2.34-525)
+-Fix-Commit: 499d1ccafccfe64df1b88deea2fa84d8180e8e8f (2.35-399)
+-Fix-Commit: fb6b8822175769b5794fb6ea04f2895483a29b61 (2.36-244)
+-Fix-Commit: 7b913d41a07836def826f2164c52541a9835f324 (2.37-172)
+-Fix-Commit: 744b63026a29f7eedbbc8e3a01a7f48a6eb0a085 (2.38-212)
+-Fix-Commit: fb22fd3f5b415dd4cd6f7b5741c2f0412374e242 (2.39-286)
+-Fix-Commit: bfc4dd9e526eacf3017dd8864ba0848e9d045dd4 (2.40-216)
+-Fix-Commit: 1e2c1ea4307197ccece0cda574bcfebf9080894c (2.41-121)
+-Fix-Commit: b0ec8fb689df862171f0f78994a3bdeb51313545 (2.42-49)
+-Reported-by: Igor Morgenstern, Aisle Research
+diff --git a/advisories/GLIBC-SA-2026-0002 b/advisories/GLIBC-SA-2026-0002
+deleted file mode 100644
+index f10d8362f6..0000000000
+--- a/advisories/GLIBC-SA-2026-0002
++++ /dev/null
+@@ -1,36 +0,0 @@
+-getnetbyaddr and getnetbyaddr_r leak stack contents to DNS resovler
+-
+-Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf
+-that specifies the library's DNS backend for networks and queries for a
+-zero-valued network in the GNU C Library version 2.0 to version 2.42
+-can leak stack contents to the configured DNS resolver.
+-
+-A defect in the _nss_dns_getnetbyaddr_r function which implements
+-getnetbyaddr and getnetbyaddr_r in the dns-based network database can
+-pass stack contents unmodified to the configured DNS resolver as part of
+-the network DNS query when the network queried is the default network
+-i.e. net == 0x0.  This stack contents leaking in the query is considered
+-a loss of confidentiality for the host making the query.  Typically it
+-is rare to call these APIs with a net value of zero, and if an attacker
+-can control the net value it can only leak adjacent stack, and so loss
+-of confidentiality is spatially limited.  The leak might be used to
+-accelerate an ASLR bypass by knowing pointer values, but also requires
+-network adjacent access to snoop between the application and the
+-DNS server; making the attack complexity higher.
+-
+-CVE-Id: CVE-2026-0915
+-Public-Date: 2026-01-15
+-Vulnerable-Commit: 5f0e6fc702296840d2daa39f83f6cb1e40073d58 (1.92-1)
+-Fix-Commit: e56ff82d5034ec66c6a78f517af6faa427f65b0b (2.43)
+-Fix-Commit: 453e6b8dbab935257eb0802b0c97bca6b67ba30e (2.42-50)
+-Fix-Commit: 15c9839a0b853f552b4ed9047841b6223f3c104d (2.41-122)
+-Fix-Commit: 329c775788b2c9ff3da774ccf59fba7b6b8ff08e (2.40-217)
+-Fix-Commit: 831f63b94ceb92fb14c0d1a7ddad35a0d1404c71 (2.39-287)
+-Fix-Commit: 49125ffc8e1674dc2a100dfdc5b78796f22e16f2 (2.38-213)
+-Fix-Commit: ddcaed5dfb05b2c1a6ea842fd6b643501365450a (2.37-173)
+-Fix-Commit: a6bf47887f24b2b394acb301a3189fda04bd4d4d (2.36-245)
+-Fix-Commit: 66f0cb057c9b4fb1249a5fec6ef4a63511a37899 (2.35-400)
+-Fix-Commit: 96863dee262225cfb79f9fe45e06fd188319c7b8 (2.34-526)
+-Fix-Commit: d210011f1536c8322157cbb4fe4229b35c834c08 (2.33-276)
+-Fix-Commit: 1bc1832cfc74c2a601220969f36e789a5e9f0ebe (2.32-152)
+-Reported-by: Igor Morgenstern, Aisle Research
+diff --git a/advisories/GLIBC-SA-2026-0003 b/advisories/GLIBC-SA-2026-0003
+deleted file mode 100644
+index b7a6e83a10..0000000000
+--- a/advisories/GLIBC-SA-2026-0003
++++ /dev/null
+@@ -1,36 +0,0 @@
+-wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory
+-
+-Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the
+-GNU C Library version 2.0 to version 2.42 may cause the interface to
+-return uninitialized memory in the we_wordv member, which on subsequent
+-calls to wordfree may abort the process.
+-
+-The implementation of WRDE_REUSE in conjunction with WRDE_APPEND fails
+-to clear the we_wordc member of the structure, and as such, when new
+-words are added internally, a leading we_wordc count number of entries
+-are skipped since they are assumed initialized.  These skipped entries
+-are not initialized, but are the contents of a realloc-expanded array of
+-pointers.  If the caller inspects the we_wordv array, it will
+-dereference invalid pointers and crash. If the caller calls wordfree,
+-the malloc implementation may detect the invalid pointers and abort the
+-process.  Calls to wordexp using WRDE_REUSE and WRDE_APPEND have never
+-worked correctly and thus the existence of applications that make use of
+-this feature is unlikely.
+-
+-CVE-Id: CVE-2025-15281
+-Public-Date: 2026-01-20
+-Vulnerable-Commit: 8f2ece695d8822e9ecc63ecd157e90bf17a6fe65 (1.93-260)
+-Fix-Commit: 80cc58ea2de214f85b0a1d902a3b668ad2ecb302 (2.43)
+-Fix-Commit: cbf39c26b25801e9bc88499b4fd361ac172d4125 (2.42-51)
+-Fix-Commit: fb4db64a04ad6c96cd1fbb7e02eb59323b1f2ac2 (2.41-123)
+-Fix-Commit: 9fe8576664d43b87ca19401fb6a975e217e47623 (2.40-218)
+-Fix-Commit: ce65d944e38a20cb70af2a48a4b8aa5d8fabe1cc (2.39-288)
+-Fix-Commit: d5409a1be010699794264162c551ba60f05ee6c3 (2.38-214)
+-Fix-Commit: ff2b172803f6bbd897755d2ce83ec4323a1a15b3 (2.37-174)
+-Fix-Commit: e97cfe2293ed097eb3d0b4c18274d22855e65130 (2.36-246)
+-Fix-Commit: bb59339d02faebac534a87eea50c83c948f35b77 (2.35-401)
+-Fix-Commit: 2b656ff94d72f93c84d8da2e7c76456c1994f02e (2.34-527)
+-Fix-Commit: 1d8ed2067a8a5d162a07670d0d063429679f17a0 (2.33-277)
+-Fix-Commit: 3a56c4ee4ea49b8f2391a2d8d6220013c4160a79 (2.32-153)
+-Fix-Commit: 28eb5caf895ced5d895cb02757e109004a2d33e5 (2.31-167)
+-Reported-by: Vitaly Simonovich
 diff --git a/advisories/README b/advisories/README
 deleted file mode 100644
 index b8f8a829ca..0000000000

packages/glibc/0002-NEWS-add-new-section.patch → packages/glibc/0002-NEWS-add-new-section-2.43.1.patch

@@ -1,30 +1,29 @@
-From 3ec4dd77f648da031bba4d3fa14825e057b5a40d Mon Sep 17 00:00:00 2001
+From 45b58d6bd185b8c6d0c5b2b906243c1ecbaaecab Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Andreas=20K=2E=20H=C3=BCttel?= <dilfridge@gentoo.org>
-Date: Mon, 28 Jul 2025 23:39:48 +0200
-Subject: [PATCH] NEWS: add new section
+Date: Sat, 24 Jan 2026 02:32:06 +0100
+Subject: [PATCH] NEWS: add new section 2.43.1
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
 ---
- NEWS | 6 ++++++
- 1 file changed, 6 insertions(+)
+ NEWS | 5 +++++
+ 1 file changed, 5 insertions(+)
 
 diff --git a/NEWS b/NEWS
-index f0b0e924a4..9cb8de11f9 100644
+index e271fb2e4d..97ef63d561 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,12 @@ See the end for copying conditions.
+@@ -4,6 +4,11 @@ See the end for copying conditions.
+
  Please send GNU C library bug reports via <https://sourceware.org/bugzilla/>
  using `glibc' in the "product" field.
- 
-+Version 2.42.1
++
++Version 2.43.1
 +
-+The following bugs were resolved with this release:
++The following bugs are resolved with this release:
 +
-+  [insert bugs here]
-+
- Version 2.42
+
+ Version 2.43
 
- Major new features: