Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response

From: Dag-Erling Smorgrav (des@ofug.org)
Date: 07/03/02

• Next message: Asep Ruspeni: "limiting proxy access"
• Previous message: Peter Radcliffe: "Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response"
• In reply to: Peter Radcliffe: "Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response"
• Next in thread: Peter Radcliffe: "Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response"
• Reply: Peter Radcliffe: "Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: freebsd-security@freebsd.org
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 03 Jul 2002 03:43:29 +0200

Peter Radcliffe <pir@pir.net> writes:
> Dag-Erling Smorgrav <des@ofug.org> probably said:
> > As far as I know, named itself is not vulnerable, but libbind contains
> > the bug, and software that uses libbind's gethost*() (nothing in the
> > base system does) is vulnerable.
> Does -STABLE's /usr/bin/dig, host, etc, not use libbind, then ?

They don't use the parts of libbind that contain the bug. They use
low-level functions that return raw DNS records rather than just host
names or IP addresses.

DES

-- 
Dag-Erling Smorgrav - des@ofug.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Asep Ruspeni: "limiting proxy access"
• Previous message: Peter Radcliffe: "Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response"
• In reply to: Peter Radcliffe: "Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response"
• Next in thread: Peter Radcliffe: "Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response"
• Reply: Peter Radcliffe: "Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: libc flaw: BIND 9 closes most holes but also opens one ... >the bug and libbind. ... >no circumstances is the Bind named server a vector for risk. ... >ported/portable software) can an installation of Bind introduce risk. ... (FreeBSD-Security) Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response ... > As far as I know, named itself is not vulnerable, but libbind contains ... > the bug, and software that uses libbind's gethost*() (nothing in the ... with "unsubscribe freebsd-security" in the body of the message ... (FreeBSD-Security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint