oss-sec mailing list archives
Re: Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow
From: Qualys Security Advisory <qsa () qualys com>
Date: Thu, 29 Jan 2015 08:48:49 -0800
Dear All, We were asked off-list whether HAProxy is vulnerable to GHOST or not, and thought others might be interested in the answer as well. The short version is: HAProxy is NOT vulnerable to GHOST. The slightly longer version is: we are looking for gethostbyname() calls whose hostname argument can be controlled by an attacker. There are indeed a few calls to gethostbyname() in HAProxy, but their hostname arguments all depend on the configuration file, in the end, so they are safe (side note: there is getaddrinfo() support too, but it seems to be turned on for Solaris only, by default). Hope this is useful. With best regards, -- the Qualys Security Advisory team
Current thread:
- Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow Qualys Security Advisory (Jan 27)
- Re: Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow Michal Zalewski (Jan 27)
- Re: Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow Qualys Security Advisory (Jan 27)
- Re: Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow Michal Zalewski (Jan 27)
- Re: Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow Stephane Chazelas (Jan 28)
- Re: Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow Amos Jeffries (Jan 27)
- Re: Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow Sven Kieske (Jan 28)
- Re: Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow Qualys Security Advisory (Jan 29)
- Re: Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow Solar Designer (Jan 29)
- Re: Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow Qualys Security Advisory (Jan 27)
- Re: Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow Michal Zalewski (Jan 27)