Bug#493576: pdns-server: CVE-2008-3217 ( PowerDNS Recursor before 3.1.6 does not always use the strongest random number generator... )

[Thomas Bläsing]

Package: pdns-server
Version: 2.9.21-6
Severity: serious
Tags: security

Hi,
the following CVE (Common Vulnerabilities  Exposures) id was
published for pdns-server.

CVE-2008-3217[0]:
| PowerDNS Recursor before 3.1.6 does not always use the strongest
| random number generator for source port selection, which makes it
| easier for remote attack vectors to conduct DNS cache poisoning.
NOTE:
| this is related to incomplete integration of security improvements
| associated with addressing CVE-2008-1637.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3217
http://security-tracker.debian.net/tracker/CVE-2008-3217

Kind regards,
Thomas.



signature.asc
Description: Digital signature

Bug#493576: pdns-server: CVE-2008-3217 ( PowerDNS Recursor before 3.1.6 does not always use the strongest random number generator... )

[Christoph Haas]

On Sonntag, 3. August 2008, Thomas Bläsing wrote:
 the following CVE (Common Vulnerabilities  Exposures) id was
 published for pdns-server.

Not exactly - the CVE was assigned to the pdns-recursor package. 
pdns-server and pdns-recursor are seperate packages. I have added the CVE 
to pdns-recursor's changelog. I'm downgrading the priority the priority of 
the bug because it's mainly cosmetical.

Thanks anyway for the report.

 Christoph


signature.asc
Description: This is a digitally signed message part.