From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: On CVE-2015-7547 - glibc/getaddrinfo Date: Wed, 17 Feb 2016 09:14:54 -0800 Message-ID: <1455729294.4073.7.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7778456251516230885==" List-Id: --===============7778456251516230885== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, I just wanted to post my view and the next steps for a vulnerability that was recently discovered in glibc. https://googleonlinesecurity.blogspot.nl/2016/02/cve-2015-7547-glibc-getadd= rinfo-stack.html IPFire does not directly connect to the Internet. All DNS queries go through a DNS proxy (dnsmasq) first. dnsmasq limits the maximum reply size to 1280 bytes. To exploit the vulnerability, packets of at least 2048 bytes are required. So dnsmasq protects IPFire and the systems behind it. This is however not a reason to not patch the vulnerability. It is still a rather serious vulnerability that makes *all* software that resolves names vulnerable. Arne has already branched a new Core Update which will be available for testing soon. Best, -Michael --===============7778456251516230885== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEKCmlRSWNCQUFC Q2dBR0JRSld4S3FPQUFvSkVJQjU4UDl2a0FrSG5Vc1AvMDZKSzNJTkMzeFptakF2VVpoUjA2RVIK cTFKS1BFSTJBT3ZKY0hCdlNjRythOE1tOHR2Z3BUTFFTNzFJRUNFTjFwR3RFbzQ1V1dOTnFCY1lr UDBkL1ZPRAp5OExXSDAxNVZnWjhyQnRldkI0YVdPYWpla3l6R2dTVE1UVGZ2S3dxU3V6bGF6WjJU ejhCSHlWTVNyMldWemJwClEvL0tkUVdnNFVhM3hsMDAvSzJUMTJ1alRXNkdJUnQ1UWVlM0djSFVk TVZzL2VDUW1Oem94bnpyY2lJd2RPamoKdy82VFhkNmJHZVFDcDVyWGsyY0tpY0VWcnRsRDM5TFJK QWtwc1hYLzNaa0VjUGU5cG1rNEk2SzROWHNvVVNwVwpnbTFHNUVIRWg1V2Y3MjBtUFE4Vm5oK3Ni OEFzNUV2and2dVFUSUpiY2h6TDBiWDBUQXVJcnpMMU51d1FUWCtxCis2WUNTNmUybVppYmFwY0I0 SzVSN21Md09JcnJmaFRhSm5raStVOVJ1SmJvbnJ3Z1dwc2N6R0ZnZzBVOVg1WmsKa3VkeURleDRx ZXQwZWxEM3NPS3MwYkptaHB2Q2xVNjh5M3AyamRuV0poOXo4UUEvZzZkRnh2K1QyaS9vUDM2YQp3 THBrdWZkQjNkbEplUzh1akdYVzEydVBPalllTkdOZ3N1bkN2Q2MzTy80aWx3QWlqWnhLUmY1OVRB THhJczNHCitheGlFZEpnWVdvSThyVW1Dc0NZKy9UUjJFUzl0UXdHZTFiRVBOVlc2Rmw2S3ZxaW9T NHpBamdkNmZxMEpseU0KRzN6RnNNWmxaS2YvdzhjM2RLMlBKMU5kMnlwTzBJZ3FZVFdqdG51TFBr dmU2N3l5THFIWnFzcmIvWVh0d0RTbwo3NDRjRmVpSEp0Tk01dkVVc3hwNQo9aDg4RgotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============7778456251516230885==--