Porteus

Porteus User Forum
https://forum.porteus.org/

Glibc exploits? ...dnsmasq "could" help.

https://forum.porteus.org/viewtopic.php?f=113&t=6034

Page 1 of 1

Glibc exploits? ...dnsmasq "could" help.

Posted: 06 Jul 2016, 09:14
by fullmoonremix
- http://www.darknet.org.uk/2016/02/the-l ... d-to-know/

Our suggested mitigation is to limit the response (i.e., via Dnsmasq or similar programs)
- http://arstechnica.com/security/2016/02 ... ulnerable/

Meanwhile, Glibc maintainers provided the following additional mitigation details:

Mitigating factors for UDP include:
- A firewall that drops UDP DNS packets > 512 bytes.
- A local resolver (that drops non-compliant responses).
- Avoid dual A and AAAA queries (avoids buffer management error) e.g.
Do not use AF_UNSPEC.
- No use of `options edns0` in /etc/resolv.conf since EDNS0 allows
responses larger than 512 bytes and can lead to valid DNS responses
that overflow.
- No use of `RES_USE_EDNS0` or `RES_USE_DNSSEC` since they can both
lead to valid large EDNS0-based DNS responses that can overflow.

Mitigating factors for TCP include:
- Limit all replies to 1024 bytes.
An alternative like Musl "could" also help.
One Linux-based package that's not vulnerable is Google's Android mobile operating system. It uses a glibc substitute known as Bionic and isn't susceptible, a company representative said.
(see also... https://access.redhat.com/errata/RHSA-2016:0175 )


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Preface... :(
A Contingency plan is a plan devised for an outcome other than in the usual (expected) plan.

Posted by 73.112.16.40 via http://webwarper.net
This is added while posting a message to avoid misusing the service
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/