glibc security update

[2.17-222]

• Restore internal GLIBC_PRIVATE symbols for use during upgrades (#1523119)
  [2.17-221]
• CVE-2018-1000001: Fix realpath() buffer underflow (#1534635)
• i386: Fix unwinding for 32-bit C++ application (#1529982)
• Reduce thread and dynamic loader stack usage (#1527904)
• x86-64: Use XSAVE/XSAVEC more often during lazy symbol binding (#1528418)
  [2.17-220]
• Update HWCAP bits for IBM POWER9 DD2.1 (#1503854)
  [2.17-219]
• Rebuild with newer gcc for aarch64 stack probing fixes (#1500475)
  [2.17-218]
• Improve memcpy performance for POWER9 DD2.1 (#1498925)
  [2.17-217]
• Update Linux system call list to kernel 4.13 (#1508895)
  [2.17-216]
• x86-64: Use XSAVE/XSAVEC in the ld.so trampoline (#1504969)
  [2.17-215]
• CVE-2017-15670: glob: Fix one-byte overflow with GLOB_TILDE (#1504809)
• CVE-2017-15804: glob: Fix buffer overflow in GLOB_TILDE unescaping (#1504809)
  [2.17-214]
• Fix check-localplt test failure.
• Include ld.so in check-localplt test. (#1440250)
  [2.17-213]
• Fix build warning in locarchive.c (#1349964)
  [2.17-212]
• Hide reference to mktemp in libpthread (#1349962)
  [2.17-211]
• Implement fopencookie hardening (#1372305)
  [2.17-210]
• x86-64: Support __tls_get_addr with an unaligned stack (#1468807)
  [2.17-209]
• Define CLOCK_TAI in
  (#1448822)
  [2.17-208]
• Compile glibc with -fstack-clash-protection (#1500475)
  [2.17-207]
• aarch64: Avoid invalid relocations in the startup code (#1500908)
  [2.17-206]
• Fix timezone test failures on large parallel builds. (#1234449, #1378329)
  [2.17-205]
• Handle DSOs with no PLT (#1445781)
  [2.17-204]
• libio: Implement vtable verification (#1398413)
  [2.17-203]
• Fix socket system call selection on s390x (#1498566).
• Use different construct for protected visibility in IFUNC tests (#1445644)
  [2.17-202]
• Rebase the DNS stub resolver and getaddrinfo to the glibc 2.26 version
• Support an arbitrary number of search domains in the stub resolver (#677316)
• Detect and apply /etc/resolv.conf changes in libresolv (#1432085)
• CVE-2017-1213: Fragmentation attacks possible when ENDS0 is enabled
  (#1487063)
• CVE-2016-3706: Stack (frame) overflow in getaddrinfo when called
  with AF_INET, AF_INET6 (#1329674)
• CVE-2015-5180: resolv: Fix crash with internal QTYPE (#1497131)
• CVE-2014-9402: denial of service in getnetbyname function (#1497132)
• Fix getaddrinfo to handle certain long lines in /etc/hosts (#1452034)
• Make RES_ROTATE start with a random name server (#1257639)
• Stricter IPv6 address parser (#1484034)
• Remove noip6dotint support from the stub resolver (#1482988)
• Remove partial bitstring label support from the stub resolver
• Remove unsupported resolver hook functions from the API
• Remove outdated RR type classification macros from the API
• hesiod: Always use TLS resolver state
• hesiod: Avoid non-trust-boundary crossing heap overflow in get_txt_records
  [2.17.201]
• Fix hang in nscd cache prune thread (#1435615)
  [2.17-200]
• Add binary timezone test data files (#1234449, #1378329)
  [2.17.198]
• Add support for new IBM z14 (s390x) instructions (#1375235)
  [2.17-197]
• Fix compile warnings in malloc (#1347277)
• Fix occasional tst-malloc-usable failures (#1348000)
• Additional chunk hardening in malloc (#1447556)
• Pointer alignment fix in nss group merge (#1463692)
• Fix SIGSEGV when LD_LIBRARY_PATH only has non-existing paths (#1443236)