Date: 03 Jul 2002 03:43:29 +0200 From: Dag-Erling Smorgrav <des@ofug.org> To: freebsd-security@freebsd.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Message-ID: <xzp7kkd8u2m.fsf@flood.ping.uio.no> In-Reply-To: <20020703012422.GC9314@pir.net> References: <NEBBIGLHNDFEJMMIEGOOGEHGFCAA.peter@skyrunner.net> <xzpk7od8vwt.fsf@flood.ping.uio.no> <200207030109.g6319Ufb008965@apollo.backplane.com> <xzpbs9p8v8b.fsf@flood.ping.uio.no> <20020703012422.GC9314@pir.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Radcliffe <pir@pir.net> writes: > Dag-Erling Smorgrav <des@ofug.org> probably said: > > As far as I know, named itself is not vulnerable, but libbind contains > > the bug, and software that uses libbind's gethost*() (nothing in the > > base system does) is vulnerable. > Does -STABLE's /usr/bin/dig, host, etc, not use libbind, then ? They don't use the parts of libbind that contain the bug. They use low-level functions that return raw DNS records rather than just host names or IP addresses. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzp7kkd8u2m.fsf>