Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Quoting Hubert Chathi (uhoreg@debian.org):
> I'm really more concerned about the fact that it's orphaned. And it
> appears to be unmaintained upstream (last release in 2001, and
> upstream moved it from the "releases" directory to the "old-releases"
> directory).
Point taken. I assume you are referring to
ftp://sources.redhat.com/pub/glibc/old-releases/nss_lwres-0.93.tar.gz
Here's original NSS module author Mark Kettenis <kettenis@gnu.org>'s
release announcement in July 2000:
http://sources.redhat.com/ml/libc-alpha/2000-07/msg00172.html
I guess we can hope that the current security incident will encourage
the glibc developers to consider adopting Kettenis's NSS code, as part
of a larger plan to (finally!) phase out the legacy BIND8 resolver code.
But that won't happen quickly, if at all, I fear.
Reply to: