Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
Hi, From: Florian Weimer [EMAIL PROTECTED] Subject: Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries Date: Fri, 05 Jul 2002 12:20:06 +0200 [EMAIL PROTECTED] writes: Ah, I see your in-depth post on Bugtraq now (-; http://msgs.securepoint.com/cgi-bin/get/bugtraq0207/39/1.html From your Bugtraq post, I got the impression that since I haven't changed the defaults in /etc/nsswitch.conf -- i.e. my networks: line is: networks: files I shouldn't have anything to worry about at the moment. Does that sound right? Yes, you don't have to worry about any of the problems which have been published so far (no, I don't know of any other problems). Great! Thanks for taking the time to make the clarification. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
[EMAIL PROTECTED] writes: I see a claim that glibc isn't vulnerable at: http://www.kb.cert.org/CERT_WEB/vul-notes.nsf/id/AAMN-5BMSW2 Any comments? GNU libc in its current version does contain incorrect code from BIND 4.9. It is vulnerable, though not in the way initially described by PINE-CERT. However, most vendors (including, for example, OpenBSD) have fixed the same vulnerability while adressing the main issues raised by PINE-CERT. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
Hi, Thanks for the comments. Ah, I see your in-depth post on Bugtraq now (-; http://msgs.securepoint.com/cgi-bin/get/bugtraq0207/39/1.html From your Bugtraq post, I got the impression that since I haven't changed the defaults in /etc/nsswitch.conf -- i.e. my networks: line is: networks: files I shouldn't have anything to worry about at the moment. Does that sound right? I presume though that updated libc6 packages are being worked on -- Can anyone comment on this? P.S. This recent string of problems: Apache chunk OpenSSH libc resolver / BIND mod_ssl Samba (haven't seen this in English news yet) in such a short period is the worst (in the sense of each of the problems being in fairly widely used packages and the problems being serious) I've experienced in my 7-8 years of system administration. I've been dreading what the rest of summer vacation has in store for us... From: Florian Weimer Subject: Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries Date: Thu, 04 Jul 2002 08:40:31 +0200 [EMAIL PROTECTED] writes: I see a claim that glibc isn't vulnerable at: http://www.kb.cert.org/CERT_WEB/vul-notes.nsf/id/AAMN-5BMSW2 Any comments? GNU libc in its current version does contain incorrect code from BIND 4.9. It is vulnerable, though not in the way initially described by PINE-CERT. However, most vendors (including, for example, OpenBSD) have fixed the same vulnerability while adressing the main issues raised by PINE-CERT. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
[Trying again w/ an attempt to graft on to an existing thread.] Hi, I see a claim that glibc isn't vulnerable at: http://www.kb.cert.org/CERT_WEB/vul-notes.nsf/id/AAMN-5BMSW2 Any comments? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
Hi, I see a claim that glibc isn't vulnerable at: http://www.kb.cert.org/CERT_WEB/vul-notes.nsf/id/AAMN-5BMSW2 Any comments? (Sorry about breaking the thread -- I only just recently subscribed and don't have the messages in this thread in my mailer) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
On Mon, Jul 01, 2002 at 11:23:08 +0100, Sam Vilain wrote: Does anyone know if this affects Debian? This has been fixed; see http://bugs.debian.org/151342 for details. HTH, Ray -- Gartner Group ?!? Never heard of them. What did they do in computing except manage to put on their tie without accidentaly killing themselves ?!? Mark Veltzer explains the value of industry analysts in http://linuxtoday.com/news_story.php3?ltsn=2001-06-21-006-21-NW-EL-MR -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
J.H.M. Dassen (Ray) [EMAIL PROTECTED] wrote: Does anyone know if this affects Debian? This has been fixed; see http://bugs.debian.org/151342 for details. Excellent. To summarise that bug report for the benefit of those interested, if you are running any of the following packages: bind9 bind9-host libbind-dev libdns5 libisc4 liblwres1 libisccc0 ibisccfg0 dnsutils lwresd They should be version 9.2.1-3 or higher, which were uploaded to unstable approximately 6 hours ago (Mon, 1 Jul 2002 00:16:31 -0600). bind 8 is also vulnerable (see http://bugs.debian.org/151247) If you are running any of the the following packages: bind bind-dev Then you need version 8.3.3-1 or higher, which were uploaded to unstable approximately 12 hours ago (Sun, 30 Jun 2002 21:48:10 -0600). The fixed packages do not appear to be available yet on security.debian.org Cheers, -- Sam Vilain, [EMAIL PROTECTED] WWW: http://sam.vilain.net/ 7D74 2A09 B2D3 C30F F78E GPG: http://sam.vilain.net/sam.asc 278A A425 30A9 05B5 2F13 I regret to say that we of the FBI are powerless to act in cases of oral-genital intimacy, unless it has in some way obstructed interstate commerce. J EDGAR HOOVER -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
On Mon, 1 Jul 2002 13:02:34 +0100 Sam Vilain [EMAIL PROTECTED] wrote: J.H.M. Dassen (Ray) [EMAIL PROTECTED] wrote: Does anyone know if this affects Debian? This has been fixed; see http://bugs.debian.org/151342 for details. Excellent. To summarise that bug report for the benefit of those interested, if you are running any of the following packages: bind9 bind9-host libbind-dev libdns5 libisc4 liblwres1 libisccc0 ibisccfg0 dnsutils lwresd They should be version 9.2.1-3 or higher, which were uploaded to unstable approximately 6 hours ago (Mon, 1 Jul 2002 00:16:31 -0600). bind 8 is also vulnerable (see http://bugs.debian.org/151247) If you are running any of the the following packages: bind bind-dev Then you need version 8.3.3-1 or higher, which were uploaded to unstable approximately 12 hours ago (Sun, 30 Jun 2002 21:48:10 -0600). The fixed packages do not appear to be available yet on security.debian.org Cheers, Hi With bind: 9_9.2.1-3.diff.gz, bind9_9.2.1-3.dsc from incoming.debian.org and the bind*.tar from pool dpkg-source and dpkg-buildpackage built me the packages today for i386. regards dominik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
-Original Message- From: J.H.M. Dassen (Ray) [mailto:[EMAIL PROTECTED] Sent: 01 July 2002 11:42 Cc: debian-security@lists.debian.org Subject: Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries On Mon, Jul 01, 2002 at 11:23:08 +0100, Sam Vilain wrote: Does anyone know if this affects Debian? This has been fixed; see http://bugs.debian.org/151342 for details. HTH, Ray I don't think this is 'fixed'? I am assuming that an update for libc6 for stable will follow as soon as the security team are able. For example dnsutils 1:8.2.3-0.potato.1 contains /usr/bin/ which ldd shows uses libc.so.6 and libresolv.so.2 The worrying thing about this vulnerability is its wide reaching implication: it affects hosts that access DNS servers - i.e. if your host requests DNS info from a malicious DNS server, the response may contain a buffer overflow that will affect your host. For example let's say you have a web server - no other services. If you have it configured to log the names of hosts accessing sites, it may look up an IP and receive a buffer overflow in return. This is not a vulnerability so much in servers running BIND, but a vulnerability in hosts that access a DNS server. Regards Jeff -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
On Mon, Jul 01, 2002 at 13:24:37 +0100, Jeff Armstrong wrote: -Original Message- From: J.H.M. Dassen (Ray) [mailto:[EMAIL PROTECTED] This has been fixed; see http://bugs.debian.org/151342 for details. I don't think this is 'fixed'? Sam spoke of libisc4/libdns5 which exist only in testing and unstable, not in stable. The issue is fixed for BIND 8/9 in unstable with the uploads referenced in the bug log. I am assuming that an update for libc6 for stable will follow as soon as the security team are able. If it affects GNU libc, which is still unclear, at least to me. Pine's original advisory states Platforms: FreeBSD, OpenBSD, NetBSD, maybe more. and so far the status of http://www.kb.cert.org/vuls/id/803539 for every Linux vendor is Unknown. Ray -- I love articles that remind you that one of the ingredients it recommends playing with is a nasty mutagen. Timothy introducing Recombinant DNA For The Home Hobbyist http://slashdot.org/article.pl?sid=00/06/18/1316258 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
-Original Message- From: J.H.M. Dassen (Ray) [mailto:[EMAIL PROTECTED] Sent: 01 July 2002 14:03 To: debian-security@lists.debian.org Subject: Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries On Mon, Jul 01, 2002 at 13:24:37 +0100, Jeff Armstrong wrote: -Original Message- From: J.H.M. Dassen (Ray) [mailto:[EMAIL PROTECTED] This has been fixed; see http://bugs.debian.org/151342 for details. I don't think this is 'fixed'? Sam spoke of libisc4/libdns5 which exist only in testing and unstable, not in stable. The issue is fixed for BIND 8/9 in unstable with the uploads referenced in the bug log. I believe he asked if libisc4/libdns5 were the only things affected? As BIND8.2.3 is in stable, I think it might be prudent to assume that libraries in stable may be affected too. What about liblwres1 and libresolv.so in libc6? I am assuming that an update for libc6 for stable will follow as soon as the security team are able. If it affects GNU libc, which is still unclear, at least to me. Pine's original advisory states Platforms: FreeBSD, OpenBSD, NetBSD, maybe more. and so far the status of http://www.kb.cert.org/vuls/id/803539 for every Linux vendor is Unknown. libc6 is indeed a big package and the Pine announcement seems rather general, if we are lucky, Debians libresolv.so wont need an update. Remember that the exploit affects programs that link against these libraries to query a DNS server - you don't have to have BIND installed to be vulnerable. Call me paranoid, but I'm still not convinced that this issue is fixed. Regards Jeff -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
Jeff Armstrong [EMAIL PROTECTED] writes: libc6 is indeed a big package and the Pine announcement seems rather general, if we are lucky, Debians libresolv.so wont need an update. I wouldn't count on it. But there aren't any updates in the GNU libc CVS yet. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries
Jeff == Jeff Armstrong [EMAIL PROTECTED] writes: [...] Jeff libc6 is indeed a big package and the Pine announcement seems Jeff rather general, if we are lucky, Debians libresolv.so wont need an Jeff update. The Pine announcement only mentions the libc from BSD-based systems, which is different from Linux's glibc, I believe. -- Hubert Chan [EMAIL PROTECTED] - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. pgp4Mbr7AHQz6.pgp Description: PGP signature