Notices by musl libc (musl@fosstodon.org)

FWIW, libxml2 looks like it would be affected except that it refuses to convert *from* an encoding unless iconv also supports conversion *to* that encoding, and musl does not have encoders for most legacy DBCSs, only decoders.

Some clarification on impact: The most likely impacted programs are things which process data received in arbitrary text encodings.

For example, mutt (mail user agent) is definitely affected. Other mail clients, web browsers, etc. that use iconv rather than their own converters are probably affected too.

musl-cross-make has now also been updated to apply the CVE-2025-26519 patches to all supported musl versions when building: https://github.com/richfelker/musl-cross-make/commit/7b4c7b315226835bab03da73a45945acb1b3bedf

Security Advisory (CVE-2025-26519) for musl libc:

https://www.openwall.com/lists/musl/2025/02/13/1

All users running applications which use iconv with untrusted input (see link for details of what usage is affected) should patch ASAP.

Heads up musl uses: keep an eye out for a security advisory that may affect you. It will be posted on the mailing list and website and linked from a post here, and should appear within the next hour.

OpenSSH sshd on musl-based systems is not vulnerable to RCE via CVE-2024-6387 (regreSSHion).

This is because we do not use localtime in log timestamps and do not use dynamic allocation (because it could fail under memory pressure) for printf formatting.

While the sshd bug is UB (AS-unsafe syslog call from signal context), very deliberate decisions we made for other good reasons reduced the potential impact to deadlock taking a lock.

#musl web infrastructure has now been switched entirely over to tipidee (https://skarnet.org/software/tipidee/) thanks to range request support that was added a while back, and to fix some breakage introduced with split backends. Thanks @ska for writing it, help setting up, and feature additions to meet site needs!

The 1.2.5 release also fixes a number of bugs, some of which have probably already been backported by distros, but not all.

musl libc 1.2.5 is now available. Accouncement on the mailing list at https://www.openwall.com/lists/musl/2024/03/01/2

While this release doesn't bring any major new functionality for existing platforms, two new ports are finally upstream in musl: loongarch64 and riscv32.

Due to lack of support for request ranges, which are needed for friendly download support, static content is not switched over yet, but still using thttpd. We hope to have everything switched over in the near future.

musl libc web infrastructure is in the process of migration to the tipidee (https://skarnet.org/software/tipidee/) httpd software. This should greatly improve git repo access via https, which was previously flaky due to the non-conforming CGI implementation of thttpd.

musl libc 1.2.4 is now released: https://www.openwall.com/lists/musl/2023/05/02/1

The highlight of musl 1.2.4 is the new TCP fallback for DNS lookups. This solves the longstanding inability to lookup large records using the libc DNS query API, as well as incompatibility with nameservers that don't handle truncation well.