Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 29 Jul 2015 07:26:31 +0300
From: Solar Designer <solar@...nwall.com>
To: Michael McNally <mcnally@....org>
Cc: oss-security@...ts.openwall.com
Subject: Re: [BIND] CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure

On Tue, Jul 28, 2015 at 11:52:53PM -0400, Michael McNally wrote:
> A deliberately constructed packet can exploit an error in the
> handling of queries for TKEY records, permitting denial of service.

As an attack surface reduction measure for a subset of builds/users,
would it make sense to exclude the corresponding code and functionality
from --without-openssl builds (which effectively lack DNSSEC support
anyway, and often deliberately so)?  If so, I wish this had been done by
now, thereby mitigating this bug for those builds and users, but perhaps
it still makes sense to do so now (upstream?) in case there are more
bugs "like this" in code that is DNSSEC-related yet doesn't directly
depend on OpenSSL (hence, isn't excluded in --without-openssl builds
yet).  Security aside, this would also reduce the (binary) code size.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.