Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Hi security experts,
On Wed, 09 Jul 2008 03:55:27 +0000
Nick Boyce <nick@glimmer.demon.co.uk> wrote:
> Also, which Debian systems would otherwise use the libc stub resolver ?
> All systems which *don't* have BIND installed ?
I want to know that, too.
Should ALL systems (servers or desktops/laptops) need to be installed
and configure bind9 (or something) package, or need to wait for update?
And some of Japanese Debian users ask me, "Really? Should we need to care
about glibc for this issue? Any distros except Debian have not released any
security advisories for glibc yet. I read DSA, but how do we deal with this
glibc's DNS vulnerability?"
At CERT site, glibc has "Status Summary Unknown"
see http://www.kb.cert.org/vuls/id/MIMG-7ECL7W
At glibc upstream cvsweb page, I cannot find any update for this issue.
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/NEWS?cvsroot=glibc
If we don't apply workaround in DSA-1605, my Debian box is exploitable?
If exploitable, is it easy (impact/risk)?
I'm confused... help.
--
Regards,
Hideki Yamane henrich @ debian.or.jp/iijmio-mail.jp
http://wiki.debian.org/HidekiYamane
Reply to: