CVE-2015-7547: getaddrinfo() stack-based buffer overflow
G.W. Haywood
bind at jubileegroup.co.uk
Wed Feb 17 18:09:18 UTC 2016
Hi there,
On Wed, 17 Feb 2016, Dominique Jullier wrote:
> Are they any thoughts around, how to handle yesterday's glibc
> vulnerability[1][2] from the side bind?
This is a glibc issue, not a bind issue. It makes no sense to attempt
to fix the problem by modifying bind. Firstly, bind is not the only
software which may call glibc's getaddrinfo() function in a way which
could permit exploitation, and secondly, a 'sticking plaster' fix is
likely to come unstuck anyway.
> Since it is a rather painful task in order to update all hosts ...
I fear that there's no alternative.
--
73,
Ged.
More information about the bind-users
mailing list