Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
* Hideki Yamane:
> On Wed, 09 Jul 2008 03:55:27 +0000
> Nick Boyce <firstname.lastname@example.org> wrote:
>> Also, which Debian systems would otherwise use the libc stub resolver ?
>> All systems which *don't* have BIND installed ?
> I want to know that, too.
> Should ALL systems (servers or desktops/laptops) need to be installed
> and configure bind9 (or something) package, or need to wait for update?
It depends on what the system does. A successful attack requires the
ability to reflect DNS queries through the resolver, and some
information must leak back to the attacker. In general, I would use the
local BIND hack only for highly exposed servers (such as IRC servers,
which have a history of attracting all kinds of evilness). The 2.6.24
kernel available since the last etch point release offers some
protection as well.
Unfortunately, it turns out the GNU libc fix is more difficult than
initially assumed. However, I didn't know at the time how aggressively
the stub resolver issue would be pushed, so I opted for the advisory to
document that the issue is on our radar screen.