[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

Quoting Hubert Chathi (uhoreg@debian.org):

> I'm really more concerned about the fact that it's orphaned.  And it
> appears to be unmaintained upstream (last release in 2001, and
> upstream moved it from the "releases" directory to the "old-releases"
> directory).

Point taken.  I assume you are referring to
ftp://sources.redhat.com/pub/glibc/old-releases/nss_lwres-0.93.tar.gz

Here's original NSS module author Mark Kettenis <kettenis@gnu.org>'s
release announcement in July 2000:
http://sources.redhat.com/ml/libc-alpha/2000-07/msg00172.html

I guess we can hope that the current security incident will encourage
the glibc developers to consider adopting Kettenis's NSS code, as part
of a larger plan to (finally!) phase out the legacy BIND8 resolver code.
But that won't happen quickly, if at all, I fear.
Reply to: