Re: libc flaw: BIND 9 closes most holes but also opens one
From: Andrew McNaughton (andrew@scoop.co.nz)
Date: 06/29/02
- Next message: Andrew Li: "OpenSSH_2.9"
- Previous message: Pat Lashley: "Re: Jailing SSHd"
- In reply to: Brett Glass: "libc flaw: BIND 9 closes most holes but also opens one"
- Next in thread: Mark.Andrews@isc.org: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 29 Jun 2002 14:48:56 +1200 (NZST) From: Andrew McNaughton <andrew@scoop.co.nz> To: Brett Glass <brett@lariat.org>
On Fri, 28 Jun 2002, Brett Glass wrote:
> I've installed BIND 9 on our main domain name server to shield systems
> (including Windows boxes, which may be vulnerable) from the libc hole.
> Unfortunately, according to ISC, BIND 9 comes with a version of
> libbind that's vulnerable. (See http://www.cert.org/advisories/CA-2002-19.html.)
> So, if you load up BIND 9 and an app that uses it (such as Sendmail) links
> to the vulnerable libbind, you're still exposed.
You do have an advantage though in tha bind can run with reduced
privileges and in a chroot dir. Much the same sort of protection that
privilege separation in sshd affords.
Given that unsafe privileged code is talking to bind, a compromised bind
could perhaps be made to do evil things, but producing an exploit which
modifies the executing code to that extent is no easy target.
Andrew McNaughton
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Andrew Li: "OpenSSH_2.9"
- Previous message: Pat Lashley: "Re: Jailing SSHd"
- In reply to: Brett Glass: "libc flaw: BIND 9 closes most holes but also opens one"
- Next in thread: Mark.Andrews@isc.org: "Re: libc flaw: BIND 9 closes most holes but also opens one"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
