Your message dated Sat, 26 Jul 2008 05:17:03 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#490217: fixed in python-dns 2.3.1-5 has caused the Debian Bug report #490217, regarding python-dns vulnerable to CVE-2008-1447 DNS source port guessable to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 490217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490217 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: python-dns Version: 2.3.0-5.1 Severity: grave Tags: security Justification: user security hole CVE-2008-1447, which deals with DNS reply poisoning that is possible due to DNS clients sending DNS requests on predictable UDP source ports, is a security issue that also applies to python-dns, as it does not implement the recommended UDP port randomization... example: Note lack of port randomization in code: def sendUDPRequest(self, server): "refactor me" self.response=None self.socketInit(socket.AF_INET, socket.SOCK_DGRAM) for self.ns in server: try: # TODO. Handle timeouts &c correctly (RFC) #self.s.connect((self.ns, self.port)) self.conn() self.time_start=time.time() if not self.async: self.s.send(self.request) self.response=self.processUDPReply() #except socket.error: except None: continue break if not self.response: if not self.async: raise DNSError,'no working nameservers found' In [25]: import DNS In [26]: d=DNS.DnsRequest(name='www.google.com', server='208.80.142.5', port=53) In [27]: r=d.req() In [28]: r=d.req() In [29]: r=d.req() In [30]: r=d.req() (etc) Yields, with "tcpdump udp port 53": 15:27:15.912894 IP baekdudaegan.metacarta.com.43661 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:17.224843 IP baekdudaegan.metacarta.com.43662 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:18.344731 IP baekdudaegan.metacarta.com.43663 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:18.952729 IP baekdudaegan.metacarta.com.43664 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:19.384802 IP baekdudaegan.metacarta.com.43665 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:19.752853 IP baekdudaegan.metacarta.com.43666 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:20.120819 IP baekdudaegan.metacarta.com.43667 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:22.680866 IP baekdudaegan.metacarta.com.43668 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:23.416775 IP baekdudaegan.metacarta.com.43669 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-amd64 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages python-dns depends on: ii python 2.4.4-2 An interactive high-level object-o ii python-support 0.5.6 automated rebuilding support for p python-dns recommends no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: python-dns Source-Version: 2.3.1-5 We believe that the bug you reported is fixed in the latest version of python-dns, which is due to be installed in the Debian FTP archive: python-dns_2.3.1-5.diff.gz to pool/main/p/python-dns/python-dns_2.3.1-5.diff.gz python-dns_2.3.1-5.dsc to pool/main/p/python-dns/python-dns_2.3.1-5.dsc python-dns_2.3.1-5_all.deb to pool/main/p/python-dns/python-dns_2.3.1-5_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Scott Kitterman <[EMAIL PROTECTED]> (supplier of updated python-dns package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 26 Jul 2008 00:46:56 -0400 Source: python-dns Binary: python-dns Architecture: source all Version: 2.3.1-5 Distribution: unstable Urgency: high Maintainer: [EMAIL PROTECTED] Changed-By: Scott Kitterman <[EMAIL PROTECTED]> Description: python-dns - pydns - DNS client module for Python Closes: 490217 Changes: python-dns (2.3.1-5) unstable; urgency=high . * Replace debian/patches/tid-random.patch with source-tid-random.patch to fully address CVE-2008-1447 (Closes: #490217) - Randomize TID (from previous patch - it works for retries too) - Add source port randomization to cover all cases Checksums-Sha1: b02e172598bdc120ccae44b4f6f04de2ac703496 1355 python-dns_2.3.1-5.dsc ece79a849c7491d7691fffa08e09254dc1aa106f 7555 python-dns_2.3.1-5.diff.gz bcab205863bce3e7b74bd1acd22e1d16d56069ed 27782 python-dns_2.3.1-5_all.deb Checksums-Sha256: 705414a1cda298b28a07225206a62aeff52076a1bec468a84141b4172a8d2d75 1355 python-dns_2.3.1-5.dsc 4a5764694d3324c5e1a3e381521ab93efa4b5abdb7bc10de99fc9c301c204ba5 7555 python-dns_2.3.1-5.diff.gz 3a9560b5f90d93d72547713bc644435677938a86280beb8976ee352d1f282e30 27782 python-dns_2.3.1-5_all.deb Files: 3fb5fd1cd88f0e85367ca9df887a7541 1355 python optional python-dns_2.3.1-5.dsc bb08d169c6c172849cc740cff376ea08 7555 python optional python-dns_2.3.1-5.diff.gz cc7a30be8afef976a5e499680d9d8d30 27782 python optional python-dns_2.3.1-5_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIirLPHajaM93NaGoRAhMUAJ9qxu/6iPC2+t7IlLGUgLSOTmqEpgCeJfR9 xCBmHYZNX45bBWeM2Qgcpyc= =KatA -----END PGP SIGNATURE-----
--- End Message ---
