-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Sep 17, 2008 at 05:28:37PM +0200, Fabio Tranchitella wrote: > > transaction ID randomization. If instead of reverted to the package that > > has > > neither, you change 'self.tid' to '0' in line 199 > > of /var/lib/python-support/python2.4/DNS/Base.py you will work around this > > problem and still have source port randomization. > > > > I've contacted upstream and will get this sorted out. > > Thanks for your answer, I'm cc'ing the security team to bring to their > attention the bug report: we'll have to issue a new security update with > the fix.
Thanks for the report; I can take care of shipping out an updated fix once one is available. I'm reluctant to use the approach of disabling transaction ID randomization, however, since port randomization alone does not introduce sufficient entropy into the request as to make forgery unfeasible. Scott, let us know when you get a response from upstream. - -- Devin \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI0S4FU5XKDemr/NIRAvbMAJ9PohvIbdKtaPMdq0B+TWnAu+wwcACdGbux knK5wWaN2ocCWzAzyKfewMM= =C4/T -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
