[Pdns-users] Regarding CVE-2015-7547 & PowerDNS Recursor
bert hubert
bert.hubert at powerdns.com
Wed Feb 17 13:38:05 UTC 2016
On Wed, Feb 17, 2016 at 02:12:51PM +0100, Nick Douma wrote:
> What about the static debian package on the website? I assume updating
> the OS libc package is not enough?
Hi Nick,
Good question. It turns out our recent static packages in fact link to the
system libc. We call these 'semi-static', but did not change the package
name.
Check with ldd /usr/sbin/pdns_server or /usr/sbin/pdns_recursor to see if
your version runs against the system libc. If it doesn't chances are you are
running a version that needed to be updated anyhow!
Secondly, as a nameserver, we try not to resolve names using the system
library as this could create chicken/egg problems. We do use getaddrinfo()
but not to resolve names, only to convert IPv6 addresses, and that only if
inet_pton doesn't do the job. See
http://blog.powerdns.com/2014/05/21/a-surprising-discovery-on-converting-ipv6-addresses-we-no-longer-prefer-getaddrinfo/
If you connec to a MySQL or PostgreSQL database using a *named* database
host, those libraries might try to resolve a name, but we recommend against
that.
But chances are you are running a version of PowerDNS that does not contain
a vulnerable libc anyhow.
BErt
More information about the Pdns-users
mailing list