Bug#492460: marked as done (pdnsd: appears to be vulnerable to cache poisoning attack CVE-2008-1447)

Sun, 27 Jul 2008 06:55:55 -0700 

Your message dated Sun, 27 Jul 2008 15:51:35 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#492460: pdnsd: appears to be vulnerable to cache 
poisoning attack CVE-2008-1447
has caused the Debian Bug report #492460,
regarding pdnsd: appears to be vulnerable to cache poisoning attack 
CVE-2008-1447
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
492460: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492460
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: pdnsd
Version: 1.2.4par-0.2 1.2.6-par-8
Severity: grave
Tags: security

Hi,

It seems that pdnsd is vulnerable to the DNS cache poisoning attack
as described by Dan Kaminski and referenced as CVE-2008-1447. I'm
not intimately aware of pdnsd; could you look into this issue and
see whether it's indeed vulnerable and whether an updated package
can be provided?

Reading the source code didn't give me any indication of source
port randomisation so I'm filing this as grave until we're either
sure that it's not vulnerable or that a fix has been applied.


thanks,
Thijs


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.18-6-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

--- End Message ---
--- Begin Message --- 
On Sat, Jul 26, 2008 at 09:47:43AM +0000, Thijs Kinkhorst wrote:
> Package: pdnsd
> Version: 1.2.4par-0.2 1.2.6-par-8
> Severity: grave
> Tags: security
> 
> Hi,
> 
> It seems that pdnsd is vulnerable to the DNS cache poisoning attack
> as described by Dan Kaminski and referenced as CVE-2008-1447. I'm
> not intimately aware of pdnsd; could you look into this issue and
> see whether it's indeed vulnerable and whether an updated package
> can be provided?
> 
> Reading the source code didn't give me any indication of source
> port randomisation so I'm filing this as grave until we're either
> sure that it's not vulnerable or that a fix has been applied.

The security team already asked, and yes it uses port randomization,
it's documented in pdnsd.conf and the source matches too.

-- 
·O·  Pierre Habouzit
··O                                                [EMAIL PROTECTED]
OOO                                                http://www.madism.org

Attachment: pgpuDepYJsM1G.pgp
Description: PGP signature


--- End Message ---

Reply via email to