Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
From: Josip Rodin <joy@entuzijast.net>
Date: Tue, 8 Jul 2008 19:40:46 +0200
Message-id: <20080708174046.GA27679@orion.carnet.hr>
In-reply-to: <87myks4886.fsf@mid.deneb.enyo.de>
References: <87myks4886.fsf@mid.deneb.enyo.de>

On Tue, Jul 08, 2008 at 07:05:29PM +0200, Florian Weimer wrote:
> Package        : glibc
> 
> At this time, it is not possible to implement the recommended
> countermeasures in the GNU libc stub resolver.  The following
> workarounds are available:
> 
> 1. Install a local BIND 9 resoler on the host, possibly in
> forward-only mode.  BIND 9 will then use source port randomization
> when sending queries over the network.  (Other caching resolvers can
> be used instead.)

Why is this phrased in a way that it prefers BIND as a recursive resolver,
when that same software was *only just* patched to be acceptable for the
same purpose?

I'm not particularly hell-bent on security, but I would expect the security
team to avoid doing these kinds of things...

-- 
     2. That which causes joy or happiness.

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: Rick Moen <rick@linuxmafia.com>

Prev by Date: Bug#489678: tree-puzzle: Uses a local copy of libsprng.
Next by Date: Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Previous by thread: Bug#489678: tree-puzzle: Uses a local copy of libsprng.
Next by thread: Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Index(es):
- Date
- Thread