On 28. jan. 2015 06.50.31 Peter <pe...@pajamian.dhs.org> wrote:
On 01/28/2015 06:17 PM, Vijay Rajah wrote: > Hello, > > I'm sure most of you are aware of the latest Glibc vulnerability. (FYI: > http://www.openwall.com/lists/oss-security/2015/01/27/9) > > I'm not sure If postfix is vulnerable. I see from that posting that, > exim under certain configurations, is vulnerable. > > I think since postfix supports IPV6, it would use the getaddrinfo() > function. Is there any place where the older getbyhostname() function is > still used? > > Is postfix in any way at all, vulnerable to this bug? Honestly, I don't know if postfix uses that function or not, but if postfix isn't vulnerable then you almost certainly have some other program on your box that is. I would recommend that you update glibc without delay regardless.
bug is resolved in glibc 2.18, and possible other distros with lots of backports, in gentoo its glibc 2.19 stable, note update glibc can not be reversed in terms of version numbers, so be sure to ask maintainers first
