Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
Hi,
Thanks for the comments.
Ah, I see your in-depth post on Bugtraq now (-;
http://msgs.securepoint.com/cgi-bin/get/bugtraq0207/39/1.html
>From your Bugtraq post, I got the impression that since I haven't
changed the defaults in /etc/nsswitch.conf -- i.e. my networks: line
is:
networks: files
I shouldn't have anything to worry about at the moment. Does that
sound right?
I presume though that updated libc6 packages are being worked on --
Can anyone comment on this?
P.S. This recent string of problems:
Apache chunk
OpenSSH
libc resolver / BIND
mod_ssl
Samba (haven't seen this in English news yet)
in such a short period is the worst (in the sense of each of the
problems being in fairly widely used packages and the problems
being serious) I've experienced in my 7-8 years of system
administration. I've been dreading what the rest of "summer
vacation" has in store for us...
From: Florian Weimer
Subject: Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
Date: Thu, 04 Jul 2002 08:40:31 +0200
> sen_ml@eccosys.com writes:
>
> > I see a claim that glibc isn't vulnerable at:
> >
> > http://www.kb.cert.org/CERT_WEB/vul-notes.nsf/id/AAMN-5BMSW2
> >
> > Any comments?
>
> GNU libc in its current version does contain incorrect code from BIND
> 4.9. It is vulnerable, though not in the way initially described by
> PINE-CERT. However, most vendors (including, for example, OpenBSD)
> have fixed the same vulnerability while adressing the main issues
> raised by PINE-CERT.
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: