[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow
Dominic Hargreaves
dom at earth.li
Thu Feb 18 11:40:44 UTC 2016
On Wed, Feb 17, 2016 at 08:05:15PM +0100, Florian Weimer wrote:
> * Robert Edmonds:
> > Is Unbound's "msg-buffer-size: 2047" an effective workaround? :-) :-(
>
> I didn't realize this option existed. I'm not sure about the exact
> value to use there, but something like that should be an effective
> mitigation (if the limit really applies to all responses, including
> the last-resort handler).
>
> EDNS0 buffer sizes only affect UDP responses and are therefore not
> completely effective.
I tried this (with 1500 bytes), but it doesn't work without
recompilation: the minimum size the server will allow is 4096 bytes
(Debian 1.4.22-3).
Cheers,
Dominic.
More information about the dns-operations
mailing list