Package: src:nx-libs Severity: important
The NX source code uses gethostbyname() at several locations and is potentially affected by CVE 2015-0235 (GHOST security issue in glibc).
We should move towards using getaddrinfo() asap.
Mike
--
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976148
GnuPG Key ID 0x25771B13 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Hi, Mike!
I'm looking at this and previous bug (#777) and can't stop wondering whether applications should really contain workarounds for bugs in system libraries. Isn't it better to just depend on newer version of library (that has fixes for currently known bugs)?
There are a lot of older bugs in glibc (that are fixed in current version), does it mean that applications should be bloated with workarounds for such bugs just in order to work more safely on machines where users don't pay enough attention to updates?
On So 01 Feb 2015 13:40:59 CET, Nable wrote:
Hi, Mike!
I'm looking at this and previous bug (#777) and can't stop wondering whether applications should really contain workarounds for bugs in system libraries. Isn't it better to just depend on newer version of library (that has fixes for currently known bugs)?
There are a lot of older bugs in glibc (that are fixed in current version), does it mean that applications should be bloated with workarounds for such bugs just in order to work more safely on machines where users don't pay enough attention to updates?
That is a true way of reasoning...
However, gethostbyname is deprecated in glibc and not really IPv4/IPv6
compliant [1].
Mike
[1] http://beej.us/guide/bgnet/output/html/multipage/syscalls.html#getaddrinfo
--
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Processing control commands:
close -1 Bug #778 [nx-libs] affected by CVE 2015-0235: Stop using gethosbyname() Marked Bug as done archive -1 Bug #778 {Done: Stefan Baur <X2Go-ML-1@baur-itcs.de>} [nx-libs] affected by CVE 2015-0235: Stop using gethosbyname() archived 778 to archive/78 (from 778)
-- 778: https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=778 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems
-
Mike Gabriel -
Nable -
X2Go Bug Tracking System