X2Go Bug report logs - #778
affected by CVE 2015-0235: Stop using gethosbyname()

Package: nx-libs; Maintainer for nx-libs is X2Go Developers <x2go-dev@lists.x2go.org>;

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Sun, 1 Feb 2015 07:05:02 UTC

Severity: important

Done: Stefan Baur <X2Go-ML-1@baur-itcs.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.x2go.org, owner@bugs.x2go.org:
Bug#778; Package src:nx-libs. (Sun, 01 Feb 2015 07:05:02 GMT) (full text, mbox, link).


Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
New Bug report received and forwarded. Copy sent to owner@bugs.x2go.org. (Sun, 01 Feb 2015 07:05:02 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: submit@bugs.x2go.org
Subject: affected by CVE 2015-0235: Stop using gethosbyname()
Date: Sun, 01 Feb 2015 08:04:41 +0100
Package: src:nx-libs
Severity: important

The NX source code uses gethostbyname() at several locations and is potentially affected by CVE 2015-0235 (GHOST security issue in glibc).

We should move towards using getaddrinfo() asap.

Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976148

GnuPG Key ID 0x25771B13
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de




Bug reassigned from package 'src:nx-libs' to 'nx-libs'. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Sun, 01 Feb 2015 10:35:01 GMT) (full text, mbox, link).


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#778; Package nx-libs. (Sun, 01 Feb 2015 12:45:01 GMT) (full text, mbox, link).


Acknowledgement sent to Nable <nable.maininbox@googlemail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sun, 01 Feb 2015 12:45:01 GMT) (full text, mbox, link).


Message #12 received at 778@bugs.x2go.org (full text, mbox, reply):

From: Nable <nable.maininbox@googlemail.com>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 778@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#778: affected by CVE 2015-0235: Stop using gethosbyname()
Date: Sun, 1 Feb 2015 16:40:59 +0400
Hi, Mike!

I'm looking at this and previous bug (#777) and can't stop wondering
whether applications should really contain workarounds for bugs in
system libraries. Isn't it better to just depend on newer version
of library (that has fixes for currently known bugs)?

There are a lot of older bugs in glibc (that are fixed in current
version), does it mean that applications should be bloated with
workarounds for such bugs just in order to work more safely on machines
where users don't pay enough attention to updates?


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#778; Package nx-libs. (Sun, 01 Feb 2015 21:35:02 GMT) (full text, mbox, link).


Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sun, 01 Feb 2015 21:35:02 GMT) (full text, mbox, link).


Message #17 received at 778@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Nable <nable.maininbox@googlemail.com>
Cc: 778@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#778: affected by CVE 2015-0235: Stop using gethosbyname()
Date: Sun, 01 Feb 2015 21:34:40 +0000
[Message part 1 (text/plain, inline)]
On  So 01 Feb 2015 13:40:59 CET, Nable wrote:

> Hi, Mike!
>
> I'm looking at this and previous bug (#777) and can't stop wondering
> whether applications should really contain workarounds for bugs in
> system libraries. Isn't it better to just depend on newer version
> of library (that has fixes for currently known bugs)?
>
> There are a lot of older bugs in glibc (that are fixed in current
> version), does it mean that applications should be bloated with
> workarounds for such bugs just in order to work more safely on machines
> where users don't pay enough attention to updates?

That is a true way of reasoning...

However, gethostbyname is deprecated in glibc and not really IPv4/IPv6  
compliant [1].

Mike

[1] http://beej.us/guide/bgnet/output/html/multipage/syscalls.html#getaddrinfo

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Acknowledgement sent to Stefan Baur <X2Go-ML-1@baur-itcs.de>:
Extra info received and filed, but not forwarded. (Thu, 25 Jan 2024 21:55:01 GMT) (full text, mbox, link).


Message #20 received at 778-quiet@bugs.x2go.org (full text, mbox, reply):

From: Stefan Baur <X2Go-ML-1@baur-itcs.de>
To: 778-quiet@bugs.x2go.org
Subject: Migrating/Closing
Date: Thu, 25 Jan 2024 22:51:36 +0100
Control: close -1
Control: archive -1

This issue is now being tracked in the Arctica Issue Tracker over on 
Github: <https://github.com/ArcticaProject/nx-libs/issues/1070>

Kind Regards,
Stefan Baur
-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243


Marked Bug as done Request was from Stefan Baur <X2Go-ML-1@baur-itcs.de> to 778-quiet@bugs.x2go.org. (Thu, 25 Jan 2024 21:55:02 GMT) (full text, mbox, link).


Notification sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Bug acknowledged by developer. (Thu, 25 Jan 2024 21:55:02 GMT) (full text, mbox, link).


Bug archived. Request was from Stefan Baur <X2Go-ML-1@baur-itcs.de> to 778-quiet@bugs.x2go.org. (Thu, 25 Jan 2024 21:55:02 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Oct 30 12:56:32 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.