Your message dated Sat, 30 Aug 2008 19:01:21 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#490217: fixed in python-dns 2.3.0-5.2+etch1 has caused the Debian Bug report #490217, regarding python-dns vulnerable to CVE-2008-1447 DNS source port guessable to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 490217: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490217 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: python-dns Version: 2.3.0-5.1 Severity: grave Tags: security Justification: user security hole CVE-2008-1447, which deals with DNS reply poisoning that is possible due to DNS clients sending DNS requests on predictable UDP source ports, is a security issue that also applies to python-dns, as it does not implement the recommended UDP port randomization... example: Note lack of port randomization in code: def sendUDPRequest(self, server): "refactor me" self.response=None self.socketInit(socket.AF_INET, socket.SOCK_DGRAM) for self.ns in server: try: # TODO. Handle timeouts &c correctly (RFC) #self.s.connect((self.ns, self.port)) self.conn() self.time_start=time.time() if not self.async: self.s.send(self.request) self.response=self.processUDPReply() #except socket.error: except None: continue break if not self.response: if not self.async: raise DNSError,'no working nameservers found' In [25]: import DNS In [26]: d=DNS.DnsRequest(name='www.google.com', server='208.80.142.5', port=53) In [27]: r=d.req() In [28]: r=d.req() In [29]: r=d.req() In [30]: r=d.req() (etc) Yields, with "tcpdump udp port 53": 15:27:15.912894 IP baekdudaegan.metacarta.com.43661 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:17.224843 IP baekdudaegan.metacarta.com.43662 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:18.344731 IP baekdudaegan.metacarta.com.43663 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:18.952729 IP baekdudaegan.metacarta.com.43664 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:19.384802 IP baekdudaegan.metacarta.com.43665 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:19.752853 IP baekdudaegan.metacarta.com.43666 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:20.120819 IP baekdudaegan.metacarta.com.43667 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:22.680866 IP baekdudaegan.metacarta.com.43668 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) 15:27:23.416775 IP baekdudaegan.metacarta.com.43669 > eiger.metacarta.com.domain: 0+ A? www.google.com. (32) -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-amd64 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages python-dns depends on: ii python 2.4.4-2 An interactive high-level object-o ii python-support 0.5.6 automated rebuilding support for p python-dns recommends no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: python-dns Source-Version: 2.3.0-5.2+etch1 We believe that the bug you reported is fixed in the latest version of python-dns, which is due to be installed in the Debian FTP archive: python-dns_2.3.0-5.2+etch1.diff.gz to pool/main/p/python-dns/python-dns_2.3.0-5.2+etch1.diff.gz python-dns_2.3.0-5.2+etch1.dsc to pool/main/p/python-dns/python-dns_2.3.0-5.2+etch1.dsc python-dns_2.3.0-5.2+etch1_all.deb to pool/main/p/python-dns/python-dns_2.3.0-5.2+etch1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. [EMAIL PROTECTED] (supplier of updated python-dns package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sat, 26 Jul 2008 21:46:00 -0400 Source: python-dns Binary: python-dns Architecture: source all Version: 2.3.0-5.2+etch1 Distribution: stable-security Urgency: high Maintainer: Joerg Wendland <[EMAIL PROTECTED]> Changed-By: [EMAIL PROTECTED] Description: python-dns - pydns - DNS client module for Python Closes: 490217 Changes: python-dns (2.3.0-5.2+etch1) stable-security; urgency=high . * Non-maintainer upload by the security team; thanks to Scott Kitterman for preparing the fix. * SECURITY UPDATE: Modify DNS/Base.py to randomize both Transaction ID (TID) and source port (Closes: #490217) - CVE-2008-1447 DNS source port guessable Files: c2e7178128b7033952b7795b358dea0b 695 python optional python-dns_2.3.0-5.2+etch1.dsc 82d377c6a59181072b30b0da4e9835b8 21084 python optional python-dns_2.3.0.orig.tar.gz 06a021e1cf9836cec4bbe72461bab137 3444 python optional python-dns_2.3.0-5.2+etch1.diff.gz b544ce3edb7d2051811ec743a49206a1 22750 python optional python-dns_2.3.0-5.2+etch1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIjDLtU5XKDemr/NIRAnCtAJ0fWaGiRkk3lGjK6evw7ltgJ56S/wCg0G3a Q9H1Offuq/rG76fNTrY3bKI= =NKhg -----END PGP SIGNATURE-----
--- End Message ---
