[Secure-testing-team] Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]

brian m. carlson sandals at crustytoothpaste.ath.cx
Tue Jul 22 00:16:14 UTC 2008


Package: libc6
Version: 2.7-12
Severity: critical
Tags: security

The glibc stub resolver is vulnerable to CVE-2008-1447, according to DSA
1605.  Since the vast majority of network-using programs use glibc as a
resolver, this vulnerability affects virtually any network-using
program, hence the severity.  libc6 should not be released without a fix
for this problem.

The vulnerability has been exposed:

http://demosthen.es/post/43048623/reliable-dns-forgery-in-2008

If Slashdot knows it, so does everyone else.

-- System Information:
Debian Release: lenny/sid
   APT prefers unstable
   APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libc6 depends on:
ii  libgcc1                       1:4.3.1-6  GCC support library

libc6 recommends no packages.

Versions of packages libc6 suggests:
pn  glibc-doc                     <none>     (no description available)
ii  locales-all [locales]         2.7-12     GNU C Library: Precompiled locale 

-- debconf information:
   glibc/upgrade: true
   glibc/restart-failed:
   glibc/restart-services:

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080722/661a5cfe/attachment.pgp 


More information about the Secure-testing-team mailing list