CVE-2015-7547: getaddrinfo() stack-based buffer overflow

Ben Croswell ben.croswell at gmail.com
Wed Feb 17 16:52:08 UTC 2016


Cyber folks asked if there was any way for the DNS servers to "protect" the
vulnerable clients.
The only thing i  could see from the explanation  was disabling or limiting
edns0 sizes. That is obviously not a long term option.
On Feb 17, 2016 11:39 AM, "Alan Clegg" <alan at clegg.com> wrote:

> On 2/17/16, 11:34 AM, "Reindl Harald" <bind-users-bounces at lists.isc.org on
> behalf of h.reindl at thelounge.net> wrote:
>
> >Am 17.02.2016 um 17:22 schrieb Dominique Jullier:
> >> Are they any thoughts around, how to handle yesterday's glibc
> >> vulnerability[1][2] from the side bind?
> >>
> >> Since it is a rather painful task in order to update all hosts to a new
> >> version of glibc, we were thinking about other possible workarounds
> >
> >Fedora, RHEL and Debian as well as likely all other relevant
> >distributions are providing a patched glibc - dunno what is "rather
> >painful" to apply a ordinary update like kernel security updates and
> >restart all network relevant processes or reboot
>
> While I agree that the "major distributions" (and even the minor ones) are
> getting patches out, I'd like to point out something that Alan Cox posted
> over on G+:
>
> "You can upgrade all your servers but if that little cheapo plastic box on
> your network somewhere has a vulnerable post 2008 glibc and ever does DNS
> lookups chances are it's the equivalent of a trapdoor into your network."
>
> https://plus.google.com/+AlanClegg/posts/R1UkJjHMMB6
>
> There does need to be something a bit deeper than "patch your servers"..
>
> AlanC
> >
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160217/f2d010bb/attachment.html>


More information about the bind-users mailing list