Your message dated Wed, 23 Jul 2008 16:26:49 +0200 with message-id <[EMAIL PROTECTED]> and subject line Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447] has caused the Debian Bug report #491809, regarding libc6: DNS spoofing vulnerability [CVE-2008-1447] to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 491809: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=491809 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: libc6 Version: 2.7-12 Severity: critical Tags: security The glibc stub resolver is vulnerable to CVE-2008-1447, according to DSA 1605. Since the vast majority of network-using programs use glibc as a resolver, this vulnerability affects virtually any network-using program, hence the severity. libc6 should not be released without a fix for this problem. The vulnerability has been exposed: http://demosthen.es/post/43048623/reliable-dns-forgery-in-2008 If Slashdot knows it, so does everyone else. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-trunk-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libc6 depends on: ii libgcc1 1:4.3.1-6 GCC support library libc6 recommends no packages. Versions of packages libc6 suggests: pn glibc-doc <none> (no description available)ii locales-all [locales] 2.7-12 GNU C Library: Precompiled locale-- debconf information: glibc/upgrade: true glibc/restart-failed: glibc/restart-services: -- brian m. carlson / brian with sandals: Houston, Texas, US +1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---On Tue, Jul 22, 2008 at 04:02:13PM +0000, Pierre Habouzit wrote: > On Tue, Jul 22, 2008 at 03:24:06PM +0000, Florian Weimer wrote: > > * Aurelien Jarno: > > > > >> Currently, there is no suitable patch to backport. I hope that improved > > >> port randomization will be available shortly. > > > > > > You mean a patch for the kernel? > > > > Yes, one for the kernel, and one for the transaction ID generation in > > the libc resolver, too. > > > > (Oh, and "shortly" == "next week or so".) > > Assuming the TID generator for the glibc is "good enough" and that the > flaw is the one described in [0], then the glibc code (even nscd) isn't > vulnerable, because it doesn't cache or even look at the additional > records. > > The problems with QID randomization are quite orthogonal, and it's a > problem known for 20 years now (using last QID+1 isn't really an option > ;p). Having a better random number generator will probably help, but > quite doesn't require such a severity (as there is already randomization > of the QIDs, maybe not a perfect one). > > So unless you have further non yet disclosed informations, I'd > suggest reconsidering the DSA. Kaminsky agrees confirm the issue, so I can say for sure that the glibc isn't vulnerable to the attack he describes, as it needs a resolver that caches additionnal RRs, which the glibc doesn't do. As of attacks that would use non randomized source port use, this is addressed by recent kernels hence is fixed enough. Note that such answers are only cached when nscd host caching is in used, and it's off by default in Debian nscd default setup. I'm hence closing the bug. -- ·O· Pierre Habouzit ··O [EMAIL PROTECTED] OOO http://www.madism.orgpgperuBRbV1ci.pgp
Description: PGP signature
--- End Message ---