RE: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
> -----Original Message-----
> From: J.H.M. Dassen (Ray) [mailto:dm@zensunni.demon.nl]
> Sent: 01 July 2002 14:03
> To: debian-security@lists.debian.org
> Subject: Re: CERT Advisory CA-2002-19 Buffer Overflow in
> Multiple DNS Resolver Libraries
>
> On Mon, Jul 01, 2002 at 13:24:37 +0100, Jeff Armstrong wrote:
> > > -----Original Message-----
> > > From: J.H.M. Dassen (Ray) [mailto:dm@zensunni.demon.nl]
>
> > > This has been fixed; see http://bugs.debian.org/151342
> for details.
>
> > I don't think this is 'fixed'?
>
> Sam spoke of "libisc4/libdns5" which exist only in testing
> and unstable, not
> in stable. The issue is fixed for BIND 8/9 in unstable with
> the uploads
> referenced in the bug log.
I believe he asked if "libisc4/libdns5" were the only things affected?
As BIND8.2.3 is in stable, I think it might be prudent to assume that
libraries in stable may be affected too. What about liblwres1 and
libresolv.so in libc6?
> > I am assuming that an update for libc6 for stable will
> follow as soon as
> > the security team are able.
>
> If it affects GNU libc, which is still unclear, at least to me. Pine's
> original advisory states "Platforms: FreeBSD, OpenBSD,
> NetBSD, maybe more."
> and so far the status of
> http://www.kb.cert.org/vuls/id/803539 for > every
> Linux vendor
> is "Unknown".
libc6 is indeed a big package and the Pine announcement seems rather
general, if we are lucky, Debians libresolv.so wont need an update.
Remember that the exploit affects programs that link against these
libraries to query a DNS server - you don't have to have BIND installed
to be vulnerable.
Call me paranoid, but I'm still not convinced that this issue is fixed.
Regards
Jeff
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: