Re: tcpd -DPARANOID doesn't work, and never did

From: Dave Barr (barrat_private-STATE.EDU)
Date: Mon Nov 09 1998 - 15:09:50 PST

Next message: xnec: "Several new CGI vulnerabilities"

Previous message: Wietse Venema: "Re: tcpd -DPARANOID doesn't work, and never did"
Maybe in reply to: D. J. Bernstein: "tcpd -DPARANOID doesn't work, and never did"
Next in thread: Wietse Venema: "Re: tcpd -DPARANOID doesn't work, and never did"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Wietse Venema wrote:
>
> The claim made in the SUBJECT line is incorrect.
>
> First of all, whether or not the attack fails depends on the BIND
> version being used; for example, the once widely-used BIND 4.8
> forces the TTL to be at least five minutes, stopping the attack.

There were numerious fixes in BIND 4.9 which fixed various issues
like this.

For those that are curious, see doc/bind/vixie-security.ps in the
BIND (documentation) distribution.  It explicitly mentions fixes
which close the holes in BIND with respect to gethostby{name,addr}()
checks.

--Dave

Next message: xnec: "Several new CGI vulnerabilities"
Previous message: Wietse Venema: "Re: tcpd -DPARANOID doesn't work, and never did"
Maybe in reply to: D. J. Bernstein: "tcpd -DPARANOID doesn't work, and never did"
Next in thread: Wietse Venema: "Re: tcpd -DPARANOID doesn't work, and never did"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:28 PDT