brian m. carlson a écrit : > Package: libc6 > Version: 2.7-12 > Severity: critical > Tags: security > > The glibc stub resolver is vulnerable to CVE-2008-1447, according to DSA > 1605. Since the vast majority of network-using programs use glibc as a > resolver, this vulnerability affects virtually any network-using > program, hence the severity. libc6 should not be released without a fix > for this problem. > > The vulnerability has been exposed: > > http://demosthen.es/post/43048623/reliable-dns-forgery-in-2008 > > If Slashdot knows it, so does everyone else. >
With a recent kernel, I don't think the glibc stub resolver is vulnerable: contrary to some other resolvers, the it binds to an unspecified port and let the kernel decide the source port. The source port randomization has been implemented in the kernel one year ago [1], so all machines using a kernel >= 2.6.24 should be safe. Also please note that the glibc as a stub resolver is less vulnerable than a recursive resolver, as an attacker would have to spoof one of the ISP's nameservers, which is much more unlikely than spoofing one of the servers on a recursive resolution path. [1] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30 -- .''`. Aurelien Jarno | GPG: 1024D/F1BCDB73 : :' : Debian developer | Electrical Engineer `. `' [EMAIL PROTECTED] | [EMAIL PROTECTED] `- people.debian.org/~aurel32 | www.aurel32.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]