There's now a published exploit explicitly targeting things running adns:
http://milw0rm.com/exploits/6197
I believe it would be good to make an upload soon that makes it clear to users
that adns should not be used outside trusted environments.
Thijs
pgpCutWCumCHb.pgp
Description: PGP signatur
I wrote:
> perhaps this longer explanation from the INSTALL to a file under /u/s/d/,
> e.g. README.security.
That should be "README.Debian".
Thijs
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Tuesday 29 July 2008 23:50, Ian Jackson wrote:
> For secure and reasonable operation you MUST run a full-service
> nameserver on the same system as your adns applications, or on the
> same local, fully trusted network. You MUST only list such
> nameservers in the adns configuration (eg
Ian Jackson wrote:
> [snip]
this seems mostly reasonable to me and this mirrors the recommendation
in DSA-1605-1.
--
Robert Edmonds
[EMAIL PROTECTED]
signature.asc
Description: Digital signature
Robert Edmonds writes ("Re: Bug#492698: appears to be vulnerable to cache
poisoning attack CVE-2008-1447"):
> [ CC'ing Ian. ]
> Ian, are you planning a fix for this?
The short answer is no, not in any reasonable timescale. It's not
even clear whether a fix is possible
[ CC'ing Ian. ]
Ian, are you planning a fix for this?
the relevant recommendations, btw, are available in an ietf draft rfc:
http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience
Thijs Kinkhorst wrote:
> Package: adns
> Version: 1.4-0.1
> Severity: important
> Tags: security
>
> Hi,
Package: adns
Version: 1.4-0.1
Severity: important
Tags: security
Hi,
From inspecting the code of ands, it seems that it is not using the
recommended source port randomisation for countering the cache poisoning
attack as discovered by Dan Kaminski and referenced as CVE-2008-1447.
Since this is a
7 matches
Mail list logo
