On Fri, Jan 6, 2012 at 19:46, Russ Allbery <r...@debian.org> wrote: > Sergiusz Pawlowicz <sergi...@pawlowicz.name> writes: > >> As dnscache in Debian package is not configured to be run out of the >> box, security team effectively prohibits the community from using >> absolutely free, safe and efficient software, as there is no exploits >> available when you configure it on the loopback interface or for hosts >> you trust, e.g. for your cloud of services. > > Well, there aren't *no* exploits; there's still the standard DNS cache > poisoning attacks by brute-force port guessing after inducing queries that > are inherent in non-DNSSEC and present in every server, and which can be > done (with more difficulty) even if you can't query the server directly if > you can induce a trusted service to do DNS queries. But that isn't a > djbdns-specific problem.
Dear Russ, I would like to repeat my statement, this bug, #516394, is not exploitable if your DNS cache is not directly available for an attacker. Because of the design of DNS, I do not propose anyone to make any DNS cache available for any third-parties. But, again, the djbdns Debian package has no such a service from out of the box, and it must be enabled by an administrator. I can prove and admin can configure e.g. httpd to show all your / filesystem tree, does it mean we must remove httpd from Debian? Serge -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org