February 18th, 2016

FreeBSD, Variants Not Affected by Recent GNU Bug

Larry the BSD Guy

The glibc security vulnerability that Linux developers have been scrambling to patch does not affect *BSD.

Much has been made about a vulnerability in a function in the GNU C Library. And searching far and wide over the Internet, there was little — actually nothing — I could find regarding how this affected BSD variants.

However, you can rest easy, BSDers: Not our circus, not our monkeys.

Dag-Erling Smørgrav, a FreeBSD developer since 1998 and a former FreeBSD Security Officer, writes in his blog that “neither FreeBSD itself nor native FreeBSD applications are affected.”

He explains further: “While the resolver in FreeBSD’s libc and GNU libc share a common ancestry, the bug was introduced when the latter was rewritten to send A and AAAA queries in parallel rather than sequentially when the application requests both.”

Smørgrav doesn’t stop there, though. To his credit, he also offers solutions for those who may be affected — “The issue can be mitigated by only using resolvers you trust, and configuring them to avoid sending responses which can trigger the bug.” And from there, he goes into a lengthy and detailed solution explanation which, personally, is proverbially far above my balding head (which, truthfully, isn’t saying much in the realm of servers and security).

Smørgrav’s blog item is worth a read, especially if you know about the intricacies of this particular issue. Even if you don’t and want to take a look, the time reading it is well-spent; however if you’re a neophyte like me, keep Google handy. Speaking as someone who is rapidly, albeit haphazardly, getting up to speed on BSD, I am grateful for the work done by those involved with BSD in keeping us informed and keeping things running smoothly.

See you next week.

Editor note: Article updated on February 19, 2016 at 10:25 a.m. to identify Dag-Erling Smørgrav as a former security officer with FreeBSD.

We’re currently in the midst of our 2016 Indiegogo fundraising drive. Your support is crucial. Won’t you please visit our fundraising page and make a contribution to support FOSS Force?