[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow
Damian Menscher
damian at google.com
Tue Feb 23 18:20:53 UTC 2016
On Tue, Feb 23, 2016 at 10:01 AM, Mike Hoskins (michoski) <
michoski at cisco.com> wrote:
> Just in case anyone's wondering, OpenDNS isn't affected.
>
> https://engineering.opendns.com/2016/02/17/2980/
>
They're not directly vulnerable, but their claim that they protect their
users is a bit over-stated -- all RFC-compliant DNS servers provide the
same protections (not forwarding packets that don't follow the DNS spec).
The problem is that there *might* be a way to exploit this via
RFC-compliant DNS packets (I'm personally not convinced, but nobody wants
to claim it's impossible). And that would get past their defenses (and
everyone else's).
Additionally, anyone using a remote resolver is vulnerable to a MitM
injecting a malicious response, so everyone should upgrade. Claims that
OpenDNS users "aren't affected" are misleading and dangerous.
Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160223/f2156429/attachment.html>
More information about the dns-operations
mailing list