16 Jul 21:07
[SECURITY] [DSA 1544-2] New pdns-recursor packages fix predictable randomness
From: Florian Weimer <fw <at> deneb.enyo.de>
Subject: [SECURITY] [DSA 1544-2] New pdns-recursor packages fix predictable randomness
Newsgroups: gmane.comp.security.bugtraq
Date: 2008-07-16 19:09:37 GMT
Subject: [SECURITY] [DSA 1544-2] New pdns-recursor packages fix predictable randomness
Newsgroups: gmane.comp.security.bugtraq
Date: 2008-07-16 19:09:37 GMT
------------------------------------------------------------------------ Debian Security Advisory DSA-1544-2 security <at> debian.org http://www.debian.org/security/ Florian Weimer July 16, 2008 http://www.debian.org/security/faq ------------------------------------------------------------------------ Package : pdns-recursor Vulnerability : insufficient randomness Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-1637 Debian Bug : 490069 Thomas Biege discovered that the upstream fix for the weak random number generator released in DSA-1544-1 was incomplete: Source port randomization did still not use difficult-to-predict random numbers. This is corrected in this security update. Here is the text of the original advisory: Amit Klein discovered that pdns-recursor, a caching DNS resolver, uses a weak random number generator to create DNS transaction IDs and UDP source port numbers. As a result, cache poisoning attacks were simplified. (CVE-2008-1637) In the light of recent DNS-related developments (documented in DSAs 1603, 1604, 1605), we recommend that this update is installed as an additional safety measure. (The lack of source port randomization was addressed in the 3.1.6 upstream version.)(Continue reading)
RSS Feed