Hello, A question to those more knowledgeable: we're using our own DNS servers for all lookups, and those do recursive lookup for any external addresses. Am I right to assume that Bind9 uses it's own implementation for DNS lookups? Or are those now basically ticking time bombs? Regards, Peter Ludikovsky Am 16.02.2016 um 15:18 schrieb Salvatore Bonaccorso: > ------------------------------------------------------------------------- > > Debian Security Advisory DSA-3481-1 security@debian.org > https://www.debian.org/security/ Florian > Weimer February 16, 2016 > https://www.debian.org/security/faq > ------------------------------------------------------------------------- > > Package : glibc CVE ID : CVE-2015-7547 > CVE-2015-8776 CVE-2015-8778 CVE-2015-8779 Debian Bug : 812441 > 812445 812455 > > Several vulnerabilities have been fixed in the GNU C Library, > glibc. > > The first vulnerability listed below is considered to have > critical impact. > > CVE-2015-7547 > > The Google Security Team and Red Hat discovered that the glibc host > name resolver function, getaddrinfo, when processing AF_UNSPEC > queries (for dual A/AAAA lookups), could mismanage its internal > buffers, leading to a stack-based buffer overflow and arbitrary > code execution. This vulnerability affects most applications which > perform host name resolution using getaddrinfo, including system > services. > > CVE-2015-8776 > > Adam Nielsen discovered that if an invalid separated time value is > passed to strftime, the strftime function could crash or leak > information. Applications normally pass only valid time > information to strftime; no affected applications are known. > > CVE-2015-8778 > > Szabolcs Nagy reported that the rarely-used hcreate and hcreate_r > functions did not check the size argument properly, leading to a > crash (denial of service) for certain arguments. No impacted > applications are known at this time. > > CVE-2015-8779 > > The catopen function contains several unbound stack allocations > (stack overflows), causing it the crash the process (denial of > service). No applications where this issue has a security impact > are currently known. > > While it is only necessary to ensure that all processes are not > using the old glibc anymore, it is recommended to reboot the > machines after applying the security upgrade. > > For the stable distribution (jessie), these problems have been > fixed in version 2.19-18+deb8u3. > > For the unstable distribution (sid), these problems will be fixed > in version 2.21-8. > > We recommend that you upgrade your glibc packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-announce@lists.debian.org >
Attachment:
signature.asc
Description: OpenPGP digital signature