[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow
Florian Weimer
fw at deneb.enyo.de
Tue Feb 23 20:42:52 UTC 2016
* Brian Hartvigsen:
> (For me this is also an issue with the disclosure, we want to protect
> people from being exploited obviously, but the initial posting didn’t
> give a ton of information on what an actual attack could/would look
> like.
We were pretty sure that there was no effective recursor-side
mitigation of unknown attacks, without resorting to
non-protocol-compliant hacks. This has not changed.
I expect that it will be relatively straightforward to filter concrete
attacks (if they ever happen), with the usual whack-a-mole approach,
as they pass through the DNS hierarchy. Of course, this does not
apply to exploitation by on-path or blind-spoofing attackers,
bypassing the DNS hierarchy.
More information about the dns-operations
mailing list