Slashdot Mirror
Magnitude of glibc Vulnerability Coming To Light (threatpost.com)
msm1267 writes: The glibc vulnerability disclosed this week has some experts on edge because of how DNS can leveraged in exploits. Dan Kaminsky said that while man-in-the-middle attacks are one vector, it would appear that it's also possible to exploit the bug and attack most Linux servers via DNS caching-only servers. 'This would be substantially worse if it went through the caching ecosystem; 99 percent of attack vectors go through that system,' Kaminsky said. Glibc, or the GNU C library, is used by most flavors of Linux and also a number of popular web services and frameworks, giving attacks potentially massive horizontal scale. The major Linux distros have patched and pushed updates to servers; source code is also available for homegrown Linux builds.
For being glib about it. (ba dump)
No, it "only leads to other errors".
Funny, I haven't heard of any showstopper bugs in OpenBSD libc - not this year, not ever. And it's ubiquitous, since I'm running it on my phone.
This bug, after ghost, would be a good opportunity to take a step back for a serious assessment of what must be removed for a secure system.
In the event you didn't see his constant ads, APK's activities were a commercial activity on this site, which an ad supported, non-government operated site has every right to block. The fact that he was incredibly annoying and abusive about dealing with criticism is just icing on the cake.
Get back to me when they start dealing with people who aren't billboards for a commercial product whose only other activity is trolling people who provide criticisms of said product.
If this would have been a vulnerability in MSVCRT, it would be concealed as long as possible, and who knows when it would be fixed?
However as this is a Linux vulnerability, it was openly discussed and it was fixed at once.
There, FTFY.
Odd, I don't remember writing this.