Thijs Kinkhorst wrote: > Package: python-dnspython > Version: 1.3.5-3.1 1.6.0-1 > Severity: grave > Tags: security > > Hi, > > >From inspecting the code of dnspython, it seems that it is not using the > recommended source port randomisation for countering the cache poisoning > attack as discovered by Dan Kaminski and referenced as CVE-2008-1447.
python-dnspython isn't a dns cache. it may be susceptible to forgery resilience issues though. the qid field is explicitly randomized (but with the standard library rng). > Could you please look into this and see whether updated packages can and > should be created for etch/lenny/sid? from my testing (by repeatedly calling dns.resolver.query), dnspython opens a new socket for each query. on my kernel (2.6.25) the source port numbers appear to be random, but maybe this is a kernel feature introduced since 2.6.18. dnspython is a stub resolver, and not a general purpose one at that; i would prefer to wait for upstream to provide an updated version. btw, i have another specialized dns package in the archive (adns). do you know if it needs forgery resilience? -- Robert Edmonds [EMAIL PROTECTED]
signature.asc
Description: Digital signature
