[Bug 247409] [NEW] Python-dns does not randomize TID causing DNS poisoning risk
Scott Kitterman
ubuntu at kitterman.com
Thu Jul 10 21:33:35 UTC 2008
*** This bug is a security vulnerability ***
Private security bug reported:
Binary package hint: python-dns
Ideally one wants to randomize port and TID. Python-dns opens a new
socket for each request, so the OS should handle socket randomization.
Dapper does not. Hardy does. Do not know about Feisty/Gutsy. Python-
dns does not randomize TID. Upstream will release a new version that
support that to resolve their part of the problem.
** Affects: linux-source-2.6.15 (Ubuntu)
Importance: Undecided
Status: Invalid
** Affects: linux-source-2.6.20 (Ubuntu)
Importance: Undecided
Status: Invalid
** Affects: linux-source-2.6.22 (Ubuntu)
Importance: Undecided
Status: New
** Affects: python-dns (Ubuntu)
Importance: Medium
Assignee: Scott Kitterman (kitterman)
Status: In Progress
** Affects: linux-source-2.6.15 (Ubuntu Dapper)
Importance: High
Status: Confirmed
** Affects: linux-source-2.6.20 (Ubuntu Dapper)
Importance: Undecided
Status: Invalid
** Affects: linux-source-2.6.22 (Ubuntu Dapper)
Importance: Undecided
Status: New
** Affects: python-dns (Ubuntu Dapper)
Importance: Medium
Status: Confirmed
** Affects: linux-source-2.6.15 (Ubuntu Feisty)
Importance: Undecided
Status: Invalid
** Affects: linux-source-2.6.20 (Ubuntu Feisty)
Importance: Undecided
Status: New
** Affects: linux-source-2.6.22 (Ubuntu Feisty)
Importance: Undecided
Status: New
** Affects: python-dns (Ubuntu Feisty)
Importance: Medium
Status: Confirmed
** Affects: linux-source-2.6.15 (Ubuntu Gutsy)
Importance: Undecided
Status: Invalid
** Affects: linux-source-2.6.20 (Ubuntu Gutsy)
Importance: Undecided
Status: Invalid
** Affects: linux-source-2.6.22 (Ubuntu Gutsy)
Importance: Undecided
Status: New
** Affects: python-dns (Ubuntu Gutsy)
Importance: Medium
Status: Confirmed
** Affects: linux-source-2.6.15 (Ubuntu Hardy)
Importance: Undecided
Status: Invalid
** Affects: linux-source-2.6.20 (Ubuntu Hardy)
Importance: Undecided
Status: Invalid
** Affects: linux-source-2.6.22 (Ubuntu Hardy)
Importance: Undecided
Status: New
** Affects: python-dns (Ubuntu Hardy)
Importance: Medium
Status: Confirmed
** Affects: python-dns (Debian)
Importance: Unknown
Status: Unknown
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-1447
** Bug watch added: Debian Bug tracker #490217
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490217
** Also affects: python-dns (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490217
Importance: Unknown
Status: Unknown
** Changed in: python-dns (Ubuntu)
Importance: Undecided => Medium
Assignee: (unassigned) => Scott Kitterman (kitterman)
Status: New => In Progress
** Description changed:
Binary package hint: python-dns
-
- https://www.kb.cert.org/vuls/id/457875
Ideally one wants to randomize port and TID. Python-dns opens a new
socket for each request, so the OS should handle socket randomization.
Dapper does not. Hardy does. Do not know about Feisty/Gutsy. Python-
dns does not randomize TID. Upstream will release a new version that
support that to resolve their part of the problem.
** Changed in: python-dns (Ubuntu Dapper)
Importance: Undecided => Medium
Status: New => Confirmed
** Changed in: python-dns (Ubuntu Feisty)
Importance: Undecided => Medium
Status: New => Confirmed
** Changed in: python-dns (Ubuntu Gutsy)
Importance: Undecided => Medium
Status: New => Confirmed
** Changed in: python-dns (Ubuntu Hardy)
Importance: Undecided => Medium
Status: New => Confirmed
** Also affects: linux-source-2.6.15 (Ubuntu)
Importance: Undecided
Status: New
** Changed in: linux-source-2.6.15 (Ubuntu Dapper)
Importance: Undecided => High
Status: New => Confirmed
** Changed in: linux-source-2.6.15 (Ubuntu Feisty)
Status: New => Invalid
** Changed in: linux-source-2.6.15 (Ubuntu Gutsy)
Status: New => Invalid
** Changed in: linux-source-2.6.15 (Ubuntu Hardy)
Status: New => Invalid
** Changed in: linux-source-2.6.15 (Ubuntu)
Status: New => Invalid
** Also affects: linux-source-2.6.20 (Ubuntu)
Importance: Undecided
Status: New
** Changed in: linux-source-2.6.20 (Ubuntu Dapper)
Status: New => Invalid
** Changed in: linux-source-2.6.20 (Ubuntu)
Status: New => Invalid
** Changed in: linux-source-2.6.20 (Ubuntu Gutsy)
Status: New => Invalid
** Changed in: linux-source-2.6.20 (Ubuntu Hardy)
Status: New => Invalid
** Also affects: linux-source-2.6.22 (Ubuntu)
Importance: Undecided
Status: New
--
Python-dns does not randomize TID causing DNS poisoning risk
https://bugs.launchpad.net/bugs/247409
You received this bug notification because you are a member of Kernel
Bugs, which is subscribed to linux-source-2.6.15 in ubuntu.
More information about the kernel-bugs
mailing list