Gentoo Archives: gentoo-announce

From: Robert Buchholz <rbu@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] UPDATE: [ GLSA 200804-22 ] PowerDNS Recursor: DNS Cache Poisoning
Date: Thu, 21 Aug 2008 15:44:49
Message-Id: 200808211738.56945.rbu@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory [UPDATE] GLSA 200804-22:03
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: PowerDNS Recursor: DNS Cache Poisoning
9 Date: April 18, 2008
10 Updated: August 21, 2008
11 Bugs: #215567, #231335
12 ID: 200804-22:03
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Update
17 ======
18
19 The previous version of the PowerDNS Recursor (3.1.5) did not
20 properly address the issue, as UDP source port selection was
21 insufficiently randomized. We advise all users to upgrade to 3.1.6.
22
23 The updated sections appear below.
24
25 Affected packages
26 =================
27
28 -------------------------------------------------------------------
29 Package / Vulnerable / Unaffected
30 -------------------------------------------------------------------
31 1 net-dns/pdns-recursor < 3.1.6 >= 3.1.6
32
33 Description
34 ===========
35
36 Amit Klein of Trusteer reported that insufficient randomness is used to
37 calculate the TRXID values and the UDP source port numbers
38 (CVE-2008-1637). Thomas Biege of SUSE pointed out that a prior fix to
39 resolve this issue was incomplete, as it did not always enable the
40 stronger random number generator for source port selection
41 (CVE-2008-3217).
42
43 Impact
44 ======
45
46 A remote attacker could send malicious answers to insert arbitrary DNS
47 data into the cache. These attacks would in turn help an attacker to
48 perform man-in-the-middle and site impersonation attacks.
49
50 Resolution
51 ==========
52
53 All PowerDNS Recursor users should upgrade to the latest version:
54
55 # emerge --sync
56 # emerge --ask --oneshot --verbose ">=net-dns/pdns-recursor-3.1.6"
57
58 References
59 ==========
60
61 [ 1 ] CVE-2008-1637
62 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1637
63 [ 2 ] CVE-2008-3217
64 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3217
65
66 Availability
67 ============
68
69 This GLSA and any updates to it are available for viewing at
70 the Gentoo Security Website:
71
72 http://security.gentoo.org/glsa/glsa-200804-22.xml
73
74 Concerns?
75 =========
76
77 Security is a primary focus of Gentoo Linux and ensuring the
78 confidentiality and security of our users machines is of utmost
79 importance to us. Any security concerns should be addressed to
80 security@g.o or alternatively, you may file a bug at
81 http://bugs.gentoo.org.
82
83 License
84 =======
85
86 Copyright 2008 Gentoo Foundation, Inc; referenced text
87 belongs to its owner(s).
88
89 The contents of this document are licensed under the
90 Creative Commons - Attribution / Share Alike license.
91
92 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature