I know gethosbyname() has been obsolete for a long time. But I see static analysers report its use as unsafe, and when softwares remove its usage, it tends to be for security reasons.
I know there were a lot of security flaws found inside implementations recently (like ghost), but several things seems to indicate that the function is also flawed by design…
Deprecated functions are generally tagged by static code analyzers simply because they're deprecated. (That's usually an optional setting.) Many secure coding standards specifically state: "do not use deprecated functions."
Apart from some long-ago-fixed bugs, gethostbyname isn't terrible, but that's no reason to use it in new code when a supported alternative exists.
I'm not aware of a direct security reason to avoid gethostbyname. It isn't like gets which can't be used without risking a buffer overflow except in highly controlled conditions where the application knows the maximum possible size of the input.
One reason why gethostbyname is deprecated is that it isn't thread-safe, because it writes its output in a shared buffer. In a multithreaded program, either gethostbyname_r (if available) needs to be used instead, or the threads must use a synchronization mechanism so that only one thread is using the shared buffer at a time. If the programmer was not aware of this, the application may have a bug that can be triggered by causing calls in different threads at almost the same time; this could bypass an authentication step, for example.
Another reason why gethostbyname (and gethostbyname_r) is deprecated is that it doesn't cope well with IPv6. It doesn't let the application choose which form of address it wants. The most likely consequence is that the application may stop working if some IPv6-related setting changes. This could result in garbage data or even a buffer overflow somewhere if the application receives an IPv6 address when it expected an IPv4 address and it doesn't check the h_addrtype field of the result (because, in the mind of the programmer, there was nothing but AF_INET anyway).
