Red Hat Bugzilla – Bug 1477529
CVE-2017-12132 glibc: Fragmentation attacks possible when EDNS0 is enabled
Last modified: 2017-10-11 08:07:06 EDT
The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.
Created glibc tracking bugs for this issue:
Affects: fedora-all [bug 1477530]
This issue only affects systems which use a remote recursive resolver and enable EDNS0, either with the “edns0” option in /etc/resolv.conf, or using the RES_USE_EDNS0 or RES_USE_DNSSEC resolver flags. The underlying issue affects recursive resolvers such as BIND and Unbound as well, and has to be fixed separately there.