Your message dated Fri, 11 Jul 2008 10:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#490123: fixed in dnsmasq 2.43-1
has caused the Debian Bug report #490123,
regarding dnsmasq: appears to be vulnerable to cache poisoning attack
CVE-2008-1447
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
490123: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490123
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: dnsmasq
Version: 2.42-4
Severity: grave
Tags: security
Justification: user security hole
dnsmasq appears to be vulnerable to CVE-2008-1447, the DNS cache
poisoning exploit. From my reading of the source code and observation
with tcpdump, dnsmasq doesn't do any source port randomisation.
dnsmasq binds a UDP socket for each of the forwarding name servers when
they are added (on startup, or configuration change), then uses those
sockets forever. The source port doesn't change between queries. tcpdump
confirms this.
thanks
Hamish
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.24 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages dnsmasq depends on:
ii adduser 3.108 add and remove users and groups
ii dnsmasq-base 2.42-4 A small caching DNS proxy and DHCP
ii netbase 4.32 Basic TCP/IP networking system
dnsmasq recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: dnsmasq
Source-Version: 2.43-1
We believe that the bug you reported is fixed in the latest version of
dnsmasq, which is due to be installed in the Debian FTP archive:
dnsmasq-base_2.43-1_i386.deb
to pool/main/d/dnsmasq/dnsmasq-base_2.43-1_i386.deb
dnsmasq_2.43-1.diff.gz
to pool/main/d/dnsmasq/dnsmasq_2.43-1.diff.gz
dnsmasq_2.43-1.dsc
to pool/main/d/dnsmasq/dnsmasq_2.43-1.dsc
dnsmasq_2.43-1_all.deb
to pool/main/d/dnsmasq/dnsmasq_2.43-1_all.deb
dnsmasq_2.43.orig.tar.gz
to pool/main/d/dnsmasq/dnsmasq_2.43.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Kelley <[EMAIL PROTECTED]> (supplier of updated dnsmasq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 17 Jun 2008 11:55:38 +0000
Source: dnsmasq
Binary: dnsmasq dnsmasq-base
Architecture: source all i386
Version: 2.43-1
Distribution: unstable
Urgency: high
Maintainer: Simon Kelley <[EMAIL PROTECTED]>
Changed-By: Simon Kelley <[EMAIL PROTECTED]>
Description:
dnsmasq - A small caching DNS proxy and DHCP/TFTP server
dnsmasq-base - A small caching DNS proxy and DHCP/TFTP server
Closes: 490123
Changes:
dnsmasq (2.43-1) unstable; urgency=high
.
* New upstream.
* Implement source-port randomisation and better random
number generator as defence against CVE-2008-1447 (closes: #490123)
Files:
23803d7cab04b70dbc52a963bc3e591f 596 net optional dnsmasq_2.43-1.dsc
835329cfce668afee8cdb84c62cb76c3 376518 net optional dnsmasq_2.43.orig.tar.gz
c5443576cd4608ea9eecbe018304be3b 13610 net optional dnsmasq_2.43-1.diff.gz
280ff667d48308d629bdbacd7bda15d2 248578 net optional
dnsmasq-base_2.43-1_i386.deb
af638ec70fc5afd3631fa5a653364d9a 12096 net optional dnsmasq_2.43-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFIdzEMKPyGmiibgrcRAmzaAJ9CDE6TdLutNr3csTyDZeJLjCALdACfQEWO
OA9l3jWwlLfdMJzhWSNHbG4=
=GOIN
-----END PGP SIGNATURE-----
--- End Message ---
