Re: [exim] CVE-2015-0235 - glibc gethostbyname remotely expl…

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Phil Pennock
Data:  
Para: exim-users
Assunto: Re: [exim] CVE-2015-0235 - glibc gethostbyname remotely exploitable via exim
On 2015-01-27 at 18:48 +0000, Viktor Dukhovni wrote:
> FWIW, Postfix never uses gethostbyname() on systems that have
> getaddrinfo() (build configuration enables IPv6 API support).


A code vulnerability in a library _happens_ to have affected
gethostbyname(), but could as easily have affected getaddrinfo().
There's little to no utility in migrating a cross-platform software
product like Exim from one API to another, when both APIs are provided
by the same product, under the same controls.

Jumping ship would be doing something for the sake of doing something,
addressing only whichever API most recently happened to have a
vulnerability; it does not address any systemic issues and there's
no guarantee that it would actually help.

-Phil