[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow

Damian Menscher damian at google.com
Tue Feb 23 18:20:53 UTC 2016

On Tue, Feb 23, 2016 at 10:01 AM, Mike Hoskins (michoski) <
michoski at cisco.com> wrote:

> Just in case anyone's wondering, OpenDNS isn't affected.
> https://engineering.opendns.com/2016/02/17/2980/

They're not directly vulnerable, but their claim that they protect their
users is a bit over-stated -- all RFC-compliant DNS servers provide the
same protections (not forwarding packets that don't follow the DNS spec).
The problem is that there *might* be a way to exploit this via
RFC-compliant DNS packets (I'm personally not convinced, but nobody wants
to claim it's impossible).  And that would get past their defenses (and
everyone else's).

Additionally, anyone using a remote resolver is vulnerable to a MitM
injecting a malicious response, so everyone should upgrade.  Claims that
OpenDNS users "aren't affected" are misleading and dangerous.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160223/f2156429/attachment.html>

More information about the dns-operations mailing list