[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow
Florian Weimer
fw at deneb.enyo.de
Wed Feb 17 09:24:29 UTC 2016
* Stephane Bortzmeyer:
> On Tue, Feb 16, 2016 at 03:49:18PM +0000,
> Tony Finch <dot at dotat.at> wrote
> a message of 41 lines which said:
>
>> Technical analysis and patch:
>>
>> https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
>
> And a lot of stupid advice (limiting answers to 512 bytes in the
> firewall),
Which is fine for a default configuration because the glibc stub
resolver does not enable EDNS0, so a compliant recursor will not send
larger responses anyway.
> disabling IPv6 and/or DNSSEC in applications, etc.
Disabling IPv6 does not actually work as a mitigation, and neither
does filtering AAAA responses.
But it's certainly true there aren't any good network-side mitigation
options.
More information about the dns-operations
mailing list