Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 18 replies
  • Answers 2 answers
  • Subscribers 13 subscribers
  • Views 28461 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CVE-2015-7547 status/fix ?

StephaneGROBETY

Hello,


I would like to know the status of UTM 9 regarding the newly discovered bug in glibc CVE-2015-7547 (buffer overflow in getaddrinfo()). it looks like the current version is vulnerable and therefore will require a fix.

I don't think there is a workaround possible: the suggested ones all resolve around blocking UDP DNS packets larger than 512 bytes and I don't think that is possible in UTM.



This thread was automatically locked due to age.
Parents
  • 0

    This leaves us unprotected until 03.03.2016?
    It is ok to have a stable release soon but two weeks for a catastrophic/critical issue is way to long imo.

  • 0 in reply to bbb_01
    Just my opinion here;
    I'd rather they fully test and roll out the update then rush it out the door. Rushing an unstable fix causes us customers to be hesitant to push out these updates in a timely manner. This could have the opposite effect of creating a more secure setup.

    Hopefully other mitigations will come sooner. We've already put ourselves in a better situation by locking down third party DNS requests and forcing all queries through a trusted set of servers. Hopefully IPS signatures that block large DNS replies will be getting pushed out soon.

    Note that we're still waiting on some of our other vendors to even acknowledge the issue and they have no ETA on a fix...
Reply
  • 0 in reply to bbb_01
    Just my opinion here;
    I'd rather they fully test and roll out the update then rush it out the door. Rushing an unstable fix causes us customers to be hesitant to push out these updates in a timely manner. This could have the opposite effect of creating a more secure setup.

    Hopefully other mitigations will come sooner. We've already put ourselves in a better situation by locking down third party DNS requests and forcing all queries through a trusted set of servers. Hopefully IPS signatures that block large DNS replies will be getting pushed out soon.

    Note that we're still waiting on some of our other vendors to even acknowledge the issue and they have no ETA on a fix...
Children
No Data