Re: [exim] CVE-2015-0235 - glibc gethostbyname remotely expl…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] CVE-2015-0235 - glibc gethostbyname remotely exploitable via exim
On Tue, Jan 27, 2015 at 07:20:36PM +0000, Phil Pennock wrote:

> On 2015-01-27 at 18:48 +0000, Viktor Dukhovni wrote:
> > FWIW, Postfix never uses gethostbyname() on systems that have
> > getaddrinfo() (build configuration enables IPv6 API support).
>
> A code vulnerability in a library _happens_ to have affected
> gethostbyname(), but could as easily have affected getaddrinfo().
> There's little to no utility in migrating a cross-platform software
> product like Exim from one API to another, when both APIs are provided
> by the same product, under the same controls.
>
> Jumping ship would be doing something for the sake of doing something,
> addressing only whichever API most recently happened to have a
> vulnerability; it does not address any systemic issues and there's
> no guarantee that it would actually help.


No problem of course. I did say FWIW, and suggested a possible
work-around, I hope I did not make the suggestion needlessly strong.

-- 
    Viktor.