Polipo does not cache dns, so it is not vulnerable. also, polipo makes a new udp socket for each query, which means a new udp query source port, this more or less make the spoof more difficult. How random the query source port is OS dependent.
Regards, Ming On Wed, Jul 9, 2008 at 4:00 AM, Gabriel Kerneis <[EMAIL PROTECTED]> wrote: > Hi Juliusz, > > according to a recent DSA: > Dan Kaminsky discovered that properties inherent to the DNS protocol > lead to practical DNS spoofing and cache poisoning attacks. Among > other things, successful attacks can lead to misdirected web traffic > and email rerouting. > > Is polipo's internal resolver impacted? Do you plan to fix it quickly if > this > is the case? > > Otherwise, polipo users can refer to the DSA (see at the end of the mail) > to > fix the vulnerability in the libc stub resolver, and then use it in polipo > (dnsUsegethostbyname = yes). > > Regards, > Gabriel > > ----- Forwarded message from Florian Weimer <[EMAIL PROTECTED]> ----- > > From: Florian Weimer <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Date: Tue, 08 Jul 2008 19:05:29 +0200 > Subject: [Equipe-Rezel] [SECURITY] [DSA 1605-1] DNS vulnerability impact on > the > libc stub resolver > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------ > Debian Security Advisory DSA-1605-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Florian Weimer > July 08, 2008 http://www.debian.org/security/faq > - ------------------------------------------------------------------------ > > Package : glibc > Vulnerability : DNS cache poisoning > Problem type : remote > Debian-specific: no > CVE Id(s) : CVE-2008-1447 > CERT advisory : VU#800113 > > > Dan Kaminsky discovered that properties inherent to the DNS protocol > lead to practical DNS spoofing and cache poisoning attacks. Among > other things, successful attacks can lead to misdirected web traffic > and email rerouting. > > At this time, it is not possible to implement the recommended > countermeasures in the GNU libc stub resolver. The following > workarounds are available: > > 1. Install a local BIND 9 resoler on the host, possibly in > forward-only mode. BIND 9 will then use source port randomization > when sending queries over the network. (Other caching resolvers can > be used instead.) > > 2. Rely on IP address spoofing protection if available. Successful > attacks must spoof the address of one of the resolvers, which may not > be possible if the network is guarded properly against IP spoofing > attacks (both from internal and external sources). > > This DSA will be updated when patches for hardening the stub resolver > are available. > > - > --------------------------------------------------------------------------------- > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: > ftp://security.debian.org/debian-securitydists/stable/updates/main > Mailing list: [EMAIL PROTECTED] > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iQEVAwUBSHOIFr97/wQC1SS+AQIscwf+KBKMT4hcpB5TCNE+0v1DNBHiQ4rh7ktz > KiOyLWEJOaxOrpsR8siA6B6newiLe5KfwojDikqSCXbubTCeicj79HTCx5DzzhTm > aa3HePARxmtN1AuyFCebOfklibTtyY/gpwydCdAVBiV0+LmD+jXy9Jx4AfyuibXZ > VaqkUTj5sUUQn5CacdI1zc1Ky1rzbzRBBoNJ1D1rRBU1wjoGsvVjBV9p24j/1E2c > mYtbY3g1FKmhnOTLBac/AAW62ZQ44yf4QcGgwV8CULfi5c2QmGiRYZioWDVd0pfZ > hr2h/Vmjs2qgf8B9FmYet0hEGm6SrEryT2ievlqXkpul0MYtHjJ5iw== > =CMHb > -----END PGP SIGNATURE----- > > ----- End forwarded message ----- > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > _______________________________________________ > Polipo-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/polipo-users > ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Polipo-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/polipo-users
