Re: [exim] CVE-2015-0235 - glibc gethostbyname remotely expl…

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Phil Pennock
Fecha:  
A: exim-users
Asunto: Re: [exim] CVE-2015-0235 - glibc gethostbyname remotely exploitable via exim
On 2015-01-27 at 18:48 +0000, Viktor Dukhovni wrote:
> FWIW, Postfix never uses gethostbyname() on systems that have
> getaddrinfo() (build configuration enables IPv6 API support).


A code vulnerability in a library _happens_ to have affected
gethostbyname(), but could as easily have affected getaddrinfo().
There's little to no utility in migrating a cross-platform software
product like Exim from one API to another, when both APIs are provided
by the same product, under the same controls.

Jumping ship would be doing something for the sake of doing something,
addressing only whichever API most recently happened to have a
vulnerability; it does not address any systemic issues and there's
no guarantee that it would actually help.

-Phil