RE: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
> -----Original Message-----
> From: J.H.M. Dassen (Ray) [mailto:email@example.com]
> Sent: 01 July 2002 11:42
> Cc: firstname.lastname@example.org
> Subject: Re: CERT Advisory CA-2002-19 Buffer Overflow in
> Multiple DNS Resolver Libraries
> On Mon, Jul 01, 2002 at 11:23:08 +0100, Sam Vilain wrote:
> > Does anyone know if this affects Debian?
> This has been fixed; see http://bugs.debian.org/151342 for details.
I don't think this is 'fixed'? I am assuming that an update for libc6
for stable will follow as soon as the security team are able.
For example dnsutils 1:8.2.3-0.potato.1 contains /usr/bin/aaaa which ldd
shows uses libc.so.6 and libresolv.so.2
The worrying thing about this vulnerability is its wide reaching
implication: it affects hosts that access DNS servers - i.e. if your
host requests DNS info from a malicious DNS server, the response may
contain a buffer overflow that will affect your host.
For example let's say you have a web server - no other services. If you
have it configured to log the names of hosts accessing sites, it may
look up an IP and receive a buffer overflow in return.
This is not a vulnerability so much in servers running BIND, but a
vulnerability in hosts that access a DNS server.
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org