topic Re: HP-UX 10.20 Security for DNS notification in Operating System - HP-UX

HP-UX 10.20 Security for DNS notification

trystan macdonald — Tue, 17 Sep 2002 08:07:25 GMT

I am looking into an HP security bulletin regarding DNS and HP-UX 10.20 - it mentions that:
Programs which make DNS calls and are linked with libc.a must be relinked.

Does this mean that applications which make DNS calls will need re-compilling?

How would I get more information on re-linking libraries?

Thanks in advance
Trystan.

Re: HP-UX 10.20 Security for DNS notification

Cheryl Griffin — Tue, 17 Sep 2002 11:24:32 GMT

Trystan,
Use chatr on the program to determine if the program is statically linked or dynamically linked.
Example:
# chatr itool
shared library list:
dynamic /usr/obam/lib/libobam.1
dynamic /usr/lib/libdld.1
dynamic ../lib/libcfg.1
dynamic /usr/lib/libm.1

If dynamic there is not an issue.

If static, you will have to use a programming bundle like C/AnsiC Developers Bundle that contains the linker command (cc) that will allow you to redefine the libraries that are being used.
http://www.docs.hp.com/cgi-bin/fsearch/framedisplay?top=/hpux/onlinedocs/92501-90029/92501-90029_top.html&con=/hpux/onlinedocs/92501-90029/00/00/7-con.html&toc=/hpux/onlinedocs/92501-90029/00/00/7-toc.html&searchterms=ln%7cc%2b%2b&queryid=20020917-052316

Cheryl

Re: HP-UX 10.20 Security for DNS notification

Cheryl Griffin — Tue, 17 Sep 2002 11:29:22 GMT

In addition, I read the SB " HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBUX0208-209 SSRT2316 Security Vulnerability in DNS resolver libraries"

The Bulletin states:
"Relink statically linked programs calling the DNS API on 10.20.

... (snip) ... which make DNS calls and are linked with libc.a must be relinked. So far as is known *** HP delivers no such programs. ***"

Disclaimer: Those are my *** added to that statement to stress the point.

This means that if you have homegrown applications which use DNS API, there is a potential problem.

Cheryl