[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow
marek at vavrusa.com
Wed Feb 17 11:16:16 UTC 2016
On 17 February 2016 at 09:24, Florian Weimer <fw at deneb.enyo.de> wrote:
> * Stephane Bortzmeyer:
>> On Tue, Feb 16, 2016 at 03:49:18PM +0000,
>> Tony Finch <dot at dotat.at> wrote
>> a message of 41 lines which said:
>>> Technical analysis and patch:
>> And a lot of stupid advice (limiting answers to 512 bytes in the
> Which is fine for a default configuration because the glibc stub
> resolver does not enable EDNS0, so a compliant recursor will not send
> larger responses anyway.
It may over TCP though.
>> disabling IPv6 and/or DNSSEC in applications, etc.
> Disabling IPv6 does not actually work as a mitigation, and neither
> does filtering AAAA responses.
> But it's certainly true there aren't any good network-side mitigation
A scrubbing resolver/recursor is a good start to tackle this if you're
behind personal/organization resolver.
Encouraging cropping answers network-side is going to cripple DNS even
more than it is today.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
More information about the dns-operations