From URL: Description The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation. From https://sourceware.org/bugzilla/show_bug.cgi?id=21361 - Log ----------------------------------------------------------------- https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e14a27723cc3a154d67f3f26e719d08c0ba9ad25 commit e14a27723cc3a154d67f3f26e719d08c0ba9ad25 Author: Florian Weimer <fweimer@redhat.com> Date: Thu Apr 13 13:09:38 2017 +0200 resolv: Reduce EDNS payload size to 1200 bytes [BZ #21361] This hardens the stub resolver against fragmentation-based attacks. ----------------------------------------------------------------------- Summary of changes: ChangeLog | 21 ++ NEWS | 3 +- include/resolv.h | 3 - resolv/Makefile | 2 + resolv/res_mkquery.c | 28 +++- resolv/res_query.c | 23 ++- resolv/resolv-internal.h | 18 ++ resolv/tst-resolv-edns.c | 501 ++++++++++++++++++++++++++++++++++++++++++++++ support/resolv_test.c | 56 +++++- support/resolv_test.h | 11 + 10 files changed, 652 insertions(+), 14 deletions(-) create mode 100644 resolv/tst-resolv-edns.c
Added to 2.25 patchset, will be in patchlevel 9 or later
All vulnerable versions are masked. No further cleanup (toolchain package). Nothing to do for toolchain here anymore.
GLSA Vote: No