* Hideki Yamane: > On Wed, 09 Jul 2008 03:55:27 +0000 > Nick Boyce <[EMAIL PROTECTED]> wrote: >> Also, which Debian systems would otherwise use the libc stub resolver ? >> All systems which *don't* have BIND installed ? > > I want to know that, too. > Should ALL systems (servers or desktops/laptops) need to be installed > and configure bind9 (or something) package, or need to wait for update?
It depends on what the system does. A successful attack requires the ability to reflect DNS queries through the resolver, and some information must leak back to the attacker. In general, I would use the local BIND hack only for highly exposed servers (such as IRC servers, which have a history of attracting all kinds of evilness). The 2.6.24 kernel available since the last etch point release offers some protection as well. Unfortunately, it turns out the GNU libc fix is more difficult than initially assumed. However, I didn't know at the time how aggressively the stub resolver issue would be pushed, so I opted for the advisory to document that the issue is on our radar screen. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
