El 22/10/24 a las 00:05, Bob Halley escribió: > This is a blast from the past; 2008 is a LONG time ago!
Indeed! :-)
> It should be fine, as of 1.7 since the entropy pool added then would help
> with query id randomness. Newer dnspython releases use the system's
> randomness source via python APIs instead of the dnspython entropy pool if
> possible, so should be even better. Also dnspython creates a new socket for
> every query, so there will be port randomization from the OS most likely as
> well. Finally, dnspython doesn't cache by default, and even if its optional
> caching features are enabled, the nature of the way it caches does not leave
> it susceptible to the Kaminsky style attacks. Also it is probably harder for
> an attacker to send a giant stream of queries through dnspython than it is to
> send them to an ISP in most things that use dnspython.
Thanks a lot for your answer.
Given the above, ff there are no objections, I would close this bug with
Version: 1.7.1-.
Dear security team, would you agree with changing this in the security
tracker?
diff --git a/data/CVE/list b/data/CVE/list
index cc75787c27..761c635a98 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -714267,7 +714267,7 @@ CVE-2008-1447 (The DNS protocol, as implemented in
(1) BIND 8 and 9 before 9.5.0
- refpolicy 2:0.0.20080702-1
- pdnsd 1.2.6-par-11 (bug #502275)
- python-dns 2.3.1-5 (low; bug #490217)
- - dnspython <unfixed> (unimportant; bug #492465)
+ - dnspython 1.7.1-1 (unimportant; bug #492465)
NOTE: Just a stub resolver Linux kernel provides source port
randomisation
- adns 1.4-2 (unimportant; bug #492698)
NOTE: adns is not suitable to use with untrusted responses, documented
in README.Debian
> /Bob
>
>
> > On Oct 21, 2024, at 12:33, Santiago Ruano Rincón <santiag...@riseup.net>
> > wrote:
> >
> > El 29/07/08 a las 17:28, Bob Halley escribió:
> >>
> >> On 28 Jul 2008, at 09:50, Robert Edmonds wrote:
> >>
> >>> [ i am CC'ing the upstream author, Bob Halley. Bob, are you planning a
> >>> fix to bring dnspython in line with forgery-resilience? ]
> >>
> >> I haven't been rushing to make a fix because dnspython is a stub resolver
> >> (typically cacheless) and is thus not likely a profitable target.
> >>
> >> Having said that, I would like to strengthen it, but it will take a little
> >> time since I'd like to improve the quality of the randomness as well.
> >> Python's random() function is based on the Mersenne Twister, which is not
> >> cryptographically strong. What's the timeframe for lenny?
> >
> > Hello Bob,
> >
> > While reviewing some bugs in Debian, I found this long-standing issue
> > about dnspython and CVE-2008-1447 ("the Kaminsky bug"):
> > https://bugs.debian.org/492465, and I wonder what is the current actual
> > status.
> >
> > I see this as part of the changes introduced by 1.7.0 in 2009:
> >
> > An entropy module has been added and is used to randomize query ids.
> >
> > Could it be considered then safe to state that #492465 is fixed? If yes,
> > would it be from 1.7.0 (actually 1.7.1-1 in Debian) version?
> >
> > Best regards,
> >
> > -- Santiago
>
>
signature.asc
Description: PGP signature
