Hi security experts, On Wed, 09 Jul 2008 03:55:27 +0000 Nick Boyce <[EMAIL PROTECTED]> wrote: > Also, which Debian systems would otherwise use the libc stub resolver ? > All systems which *don't* have BIND installed ?
I want to know that, too. Should ALL systems (servers or desktops/laptops) need to be installed and configure bind9 (or something) package, or need to wait for update? And some of Japanese Debian users ask me, "Really? Should we need to care about glibc for this issue? Any distros except Debian have not released any security advisories for glibc yet. I read DSA, but how do we deal with this glibc's DNS vulnerability?" At CERT site, glibc has "Status Summary Unknown" see http://www.kb.cert.org/vuls/id/MIMG-7ECL7W At glibc upstream cvsweb page, I cannot find any update for this issue. http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/NEWS?cvsroot=glibc If we don't apply workaround in DSA-1605, my Debian box is exploitable? If exploitable, is it easy (impact/risk)? I'm confused... help. -- Regards, Hideki Yamane henrich @ debian.or.jp/iijmio-mail.jp http://wiki.debian.org/HidekiYamane -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
