Your message dated Fri, 25 Oct 2024 11:14:19 -0300
with message-id <Zxunu5egXo2mbF5A@voleno>
and subject line Re: Bug#492465: python-dnspython: appears to be vulnerable to
cache poisoning attack CVE-2008-1447
has caused the Debian Bug report #492465,
regarding python-dnspython: appears to be vulnerable to cache poisoning attack
CVE-2008-1447
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
492465: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492465
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-dnspython
Version: 1.3.5-3.1 1.6.0-1
Severity: grave
Tags: security
Hi,
>From inspecting the code of dnspython, it seems that it is not using the
recommended source port randomisation for countering the cache poisoning
attack as discovered by Dan Kaminski and referenced as CVE-2008-1447.
Could you please look into this and see whether updated packages can and
should be created for etch/lenny/sid?
thanks,
Thijs
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.18-6-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
--- End Message ---
--- Begin Message ---
Version: 1.7.1-1
El 25/10/24 a las 15:05, Moritz Mühlenhoff escribió:
> Am Wed, Oct 23, 2024 at 07:23:23PM -0300 schrieb Santiago Ruano Rincón:
> > El 22/10/24 a las 00:05, Bob Halley escribió:
> > > This is a blast from the past; 2008 is a LONG time ago!
> >
> > Indeed! :-)
> >
> > > It should be fine, as of 1.7 since the entropy pool added then would help
> > > with query id randomness. Newer dnspython releases use the system's
> > > randomness source via python APIs instead of the dnspython entropy pool
> > > if possible, so should be even better. Also dnspython creates a new
> > > socket for every query, so there will be port randomization from the OS
> > > most likely as well. Finally, dnspython doesn't cache by default, and
> > > even if its optional caching features are enabled, the nature of the way
> > > it caches does not leave it susceptible to the Kaminsky style attacks.
> > > Also it is probably harder for an attacker to send a giant stream of
> > > queries through dnspython than it is to send them to an ISP in most
> > > things that use dnspython.
> >
> > Thanks a lot for your answer.
> >
> > Given the above, ff there are no objections, I would close this bug with
> > Version: 1.7.1-.
> >
> > Dear security team, would you agree with changing this in the security
> > tracker?
>
> Looks good.
Done. Thank you!
signature.asc
Description: PGP signature
--- End Message ---
_______________________________________________
Python-modules-team mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/python-modules-team
