bind buffer overflow vulnerability in DNS resolver libraries [LWN.net]

Package(s):

bind glibc

CVE #(s):

CAN-2002-0651 CAN-2002-0684

Created:

July 8, 2002

Updated:

October 1, 2003

Description:

The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux. Updates from the Internet Software Consortium (ISC) are available from here.

No release or branch of Openwall GNU/*/Linux (Owl) is known to be affected, due to Olaf Kirch's fixes for this problem getting into the GNU C library more than two years ago.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

Alerts:

Mandrake	MDKSA-2002:050	2002-08-13
Yellow Dog	YDU-20020810-3	2002-08-10
Eridani	ERISA-2002:035	2002-08-09
Red Hat	RHSA-2002:133-13	2002-08-08
SCO Group	CSSA-2002-034.0	2002-08-05
Yellow Dog	YDU-20020801-2	2002-08-01
Eridani	ERISA-2002:028	2002-07-25
Red Hat	RHSA-2002:139-10	2002-07-22
EnGarde	ESA-20020724-018	2002-07-24
Mandrake	MDKSA-2002:043	2002-07-16
Trustix	2002-0061	2002-07-15
Gentoo	glibc-20020713	2002-07-13
Conectiva	CLA-2002:507	2002-07-11
SuSE	SuSE-SA:2002:026	2002-07-09
OpenPKG	OpenPKG-SA-2002.006	2002-07-04

(Log in to post comments)

RedHat fixes available for resolver bug

Posted Jul 25, 2002 6:30 UTC (Thu) by dananderson (guest, #905) [Link]

RedHat has fixes for glibc to fix the resolver bug. See RHSA-2002:139-10, http://rhn.redhat.com/errata/RHSA-2002-139.html