Cyber folks asked if there was any way for the DNS servers to "protect" the vulnerable clients. The only thing i could see from the explanation was disabling or limiting edns0 sizes. That is obviously not a long term option. On Feb 17, 2016 11:39 AM, "Alan Clegg" <a...@clegg.com> wrote:
> On 2/17/16, 11:34 AM, "Reindl Harald" <bind-users-boun...@lists.isc.org on > behalf of h.rei...@thelounge.net> wrote: > > >Am 17.02.2016 um 17:22 schrieb Dominique Jullier: > >> Are they any thoughts around, how to handle yesterday's glibc > >> vulnerability[1][2] from the side bind? > >> > >> Since it is a rather painful task in order to update all hosts to a new > >> version of glibc, we were thinking about other possible workarounds > > > >Fedora, RHEL and Debian as well as likely all other relevant > >distributions are providing a patched glibc - dunno what is "rather > >painful" to apply a ordinary update like kernel security updates and > >restart all network relevant processes or reboot > > While I agree that the "major distributions" (and even the minor ones) are > getting patches out, I'd like to point out something that Alan Cox posted > over on G+: > > "You can upgrade all your servers but if that little cheapo plastic box on > your network somewhere has a vulnerable post 2008 glibc and ever does DNS > lookups chances are it's the equivalent of a trapdoor into your network." > > https://plus.google.com/+AlanClegg/posts/R1UkJjHMMB6 > > There does need to be something a bit deeper than "patch your servers".. > > AlanC > > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
