The CERT advisory also talks about a vulnerability in the resolver libraries. SuSE's announcement doesn't discuss that issue. Is it still pending? ,---- | BIND DNS Resolver Vulnerabilities | | VU#844360 - Domain Name System (DNS) stub resolver libraries vulnerable to | buffer overflows via network name or address lookups | | An attacker could execute arbitrary code with the privileges of the | application that made the request or cause a denial of service. The | attacker would need to control the contents of DNS responses, possibly | by spoofing responses or gaining control of a DNS server. | | These vulnerabilities are distinct from the issues discussed in | CA-2002-19. The following DNS stub resolver libraries are known to be | affected: | | - BIND 4.9.2 through 4.9.10 | | The status of other resolver libraries derived from BIND 4 such as BSD | libc, GNU glibc, and those used by System V UNIX systems is currently | unknown. Additionally, these issues are mapped to CVE as follows. | | VU#852283 - CAN-2002-1219 | VU#229595 - CAN-2002-1220 | VU#581682 - CAN-2002-1221 | VU#844360 - CAN-2002-0029 `---- -- Alan Hadsell If brute force doesn't work, you aren't using enough.