CVE-2015-7547: getaddrinfo() stack-based buffer overflow
Alan Clegg
alan at clegg.com
Wed Feb 17 16:39:03 UTC 2016
On 2/17/16, 11:34 AM, "Reindl Harald" <bind-users-bounces at lists.isc.org on
behalf of h.reindl at thelounge.net> wrote:
>Am 17.02.2016 um 17:22 schrieb Dominique Jullier:
>> Are they any thoughts around, how to handle yesterday's glibc
>> vulnerability[1][2] from the side bind?
>>
>> Since it is a rather painful task in order to update all hosts to a new
>> version of glibc, we were thinking about other possible workarounds
>
>Fedora, RHEL and Debian as well as likely all other relevant
>distributions are providing a patched glibc - dunno what is "rather
>painful" to apply a ordinary update like kernel security updates and
>restart all network relevant processes or reboot
While I agree that the "major distributions" (and even the minor ones) are
getting patches out, I'd like to point out something that Alan Cox posted
over on G+:
"You can upgrade all your servers but if that little cheapo plastic box on
your network somewhere has a vulnerable post 2008 glibc and ever does DNS
lookups chances are it's the equivalent of a trapdoor into your network."
https://plus.google.com/+AlanClegg/posts/R1UkJjHMMB6
There does need to be something a bit deeper than "patch your servers"..
AlanC
>
More information about the bind-users
mailing list