Date: Wed, 29 Jul 2015 07:26:31 +0300 From: Solar Designer <solar@...nwall.com> To: Michael McNally <mcnally@....org> Cc: oss-security@...ts.openwall.com Subject: Re: [BIND] CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure On Tue, Jul 28, 2015 at 11:52:53PM -0400, Michael McNally wrote: > A deliberately constructed packet can exploit an error in the > handling of queries for TKEY records, permitting denial of service. As an attack surface reduction measure for a subset of builds/users, would it make sense to exclude the corresponding code and functionality from --without-openssl builds (which effectively lack DNSSEC support anyway, and often deliberately so)? If so, I wish this had been done by now, thereby mitigating this bug for those builds and users, but perhaps it still makes sense to do so now (upstream?) in case there are more bugs "like this" in code that is DNSSEC-related yet doesn't directly depend on OpenSSL (hence, isn't excluded in --without-openssl builds yet). Security aside, this would also reduce the (binary) code size. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ