> -----Original Message----- > From: J.H.M. Dassen (Ray) [mailto:[EMAIL PROTECTED] > Sent: 01 July 2002 11:42 > Cc: [email protected] > Subject: Re: CERT Advisory CA-2002-19 Buffer Overflow in > Multiple DNS Resolver Libraries > > On Mon, Jul 01, 2002 at 11:23:08 +0100, Sam Vilain wrote: > > Does anyone know if this affects Debian? > > This has been fixed; see http://bugs.debian.org/151342 for details. > > HTH, > Ray
I don't think this is 'fixed'? I am assuming that an update for libc6 for stable will follow as soon as the security team are able. For example dnsutils 1:8.2.3-0.potato.1 contains /usr/bin/aaaa which ldd shows uses libc.so.6 and libresolv.so.2 The worrying thing about this vulnerability is its wide reaching implication: it affects hosts that access DNS servers - i.e. if your host requests DNS info from a malicious DNS server, the response may contain a buffer overflow that will affect your host. For example let's say you have a web server - no other services. If you have it configured to log the names of hosts accessing sites, it may look up an IP and receive a buffer overflow in return. This is not a vulnerability so much in servers running BIND, but a vulnerability in hosts that access a DNS server. Regards Jeff -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
