Bug#516394: [security]: Rapid DNS Poisoning in dnscache
Hello, On 02/13/2014 08:30 PM, coldtobi wrote: > Source: djbdns > Followup-For: Bug #516394 > > Hi, > > regarding this bug: It seems that the the German Chaos Computer Clubs' DNS > got be owned due to this bug. [1] no. It is not debians fault when users do not install security updates. hth -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#516394: [security]: Rapid DNS Poisoning in dnscache
Source: djbdns Followup-For: Bug #516394 -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, regarding this bug: It seems that the the German Chaos Computer Clubs' DNS got be owned due to this bug. [1] It might be argueable if DNS is generally broken or not, but according [2] and the fact that the attack indeed happened sheds a bad light on djbdns -- patches are available since 5 years! So *please* fix this issue (patches are available!) or remove djbnds from Debian. Reasons would be RoQA, RC buggy since years, dead upstream, better alternatives available. i I'd incline removal, at least of the original version (if the fork is not affected) - -- coldtobi [1] (Sorry, German) http://www.heise.de/newsticker/meldung/DNS-Server-des-CCC-Anfaellig-wegen-veralteter-Software-2112171.html [2] http://www.your.org/dnscache/djbdns.pdf - -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJS/R0xAAoJEJFk+h0XvV02/m0P/16ELF+KNknU2zoABF1CzIAu GjOXvw888/45EJ7EqKVPhNATVsOVmMmrSFzl/ije8QpEusozBirT8x5IGPgEDrs9 7tjZ9qDUaHobBqqRtq/P/EuRSf01jtWOCVzjUowuQTBLCx2cUn5JV39zz5ZAB/pw x5BzYnZmZdGeyUlENaYHqj+cowY+2a3E9gPaifSMT1/naZODcxdsVPohFZlfJO9a ysKzr9dXaXeXOqGJfRPnR1fT+2XqIK5ncGh00cVrAmZBCscQdnl+aUmCYYaZnycX lQjjNpm0iWCZ0Ugivgr/wa5TI6MiZ95vG5tkoJ19B3A824lmpdF3zTMIVPsvA7Fn 2sE23dCQrQ2U6gR9pRzdm+BqcrBr2+8fn7Bbymc0nPxAgvqJ3oK5ktRTR5MHuQaB meaceNqhrVIA3PUZcpqXH/aHPhzeQT2ObI++7U4BVZVryQGB7FrM8AfJsmW910hA wXRbhZPQTAffHeyW87gtvpfmmB5KJntw4/X/MACnbH2AfzJgO+2tmCgGO65xNDC4 FWaz6qp/EJu1Y7+LvRXUXU7LOT2e1Xi7rEF7YNRe/BXtN3TVoEyrkJZzIE6Id7GK mw1YbCmkcsnwXuZBvfIerAr17o9Lbb/DiyJmxHMtaFhDSAGJz+Zlr2kWZija09jg ocwHUmeyCQu77e42EfPP =iphY -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#516394: [security]: Rapid DNS Poisoning in dnscache
* Florian Weimer: > * Luk Claes: > >> Gerrit Pape wrote: >>> On Thu, Oct 01, 2009 at 10:28:35PM +0200, Luk Claes wrote: Any reason why there was no upload for this security issue to unstable yet? >>> >>> Hi, I made my position as the maintainer of the package clear in >>> >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516394#36 >>> >>> and some private discussions with the security team. In my opinion the >>> issue is fixed sufficiently in unstable and testing, and the same >>> changes should go into stable. I offered to prepare the packages, but >>> the security team declined >> >> It seems that the security team does not agree that the bug is >> sufficiently fixed or do they (in Cc)? > > djbdns should not be part of squeeze until it is properly hardened > against cache poisoning. It is between 100 and 200 times easier than > with other DNS servers. > > This hasn't got to do much with bug 516394, though. Correction: It is relaated to 516394. Specifically, all publicly available information suggests dnscache (with the alleged fixes applied) can be poisoned with in 40 minutes or so on Fast Ethernet, while other implementations withstand an attack on Gigabit Ethernet for half a day. The SOA cache bypass is not essential, so patching it away does not really address the issue. It is possible to force cache misses by cycling QTYPEs or QNAMEs, too. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#516394: [security]: Rapid DNS Poisoning in dnscache
Florian Weimer wrote: > * Luk Claes: > >> Gerrit Pape wrote: >>> On Thu, Oct 01, 2009 at 10:28:35PM +0200, Luk Claes wrote: Any reason why there was no upload for this security issue to unstable yet? >>> Hi, I made my position as the maintainer of the package clear in >>> >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516394#36 >>> >>> and some private discussions with the security team. In my opinion the >>> issue is fixed sufficiently in unstable and testing, and the same >>> changes should go into stable. I offered to prepare the packages, but >>> the security team declined >> It seems that the security team does not agree that the bug is >> sufficiently fixed or do they (in Cc)? > > djbdns should not be part of squeeze until it is properly hardened > against cache poisoning. It is between 100 and 200 times easier than > with other DNS servers. > > This hasn't got to do much with bug 516394, though. Ok, removal hint for djbdns added so it gets removed from testing for now. It would be good if similar cases would also be communicated to the Release Team and/or filed as RC bugs against the affected packages. Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#516394: [security]: Rapid DNS Poisoning in dnscache
* Luk Claes: > Gerrit Pape wrote: >> On Thu, Oct 01, 2009 at 10:28:35PM +0200, Luk Claes wrote: >>> Any reason why there was no upload for this security issue to unstable yet? >> >> Hi, I made my position as the maintainer of the package clear in >> >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516394#36 >> >> and some private discussions with the security team. In my opinion the >> issue is fixed sufficiently in unstable and testing, and the same >> changes should go into stable. I offered to prepare the packages, but >> the security team declined > > It seems that the security team does not agree that the bug is > sufficiently fixed or do they (in Cc)? djbdns should not be part of squeeze until it is properly hardened against cache poisoning. It is between 100 and 200 times easier than with other DNS servers. This hasn't got to do much with bug 516394, though. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#516394: [security]: Rapid DNS Poisoning in dnscache
Gerrit Pape wrote: > On Thu, Oct 01, 2009 at 10:28:35PM +0200, Luk Claes wrote: >> Any reason why there was no upload for this security issue to unstable yet? > > Hi, I made my position as the maintainer of the package clear in > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516394#36 > > and some private discussions with the security team. In my opinion the > issue is fixed sufficiently in unstable and testing, and the same > changes should go into stable. I offered to prepare the packages, but > the security team declined It seems that the security team does not agree that the bug is sufficiently fixed or do they (in Cc)? > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518169#15 > > Since then, there's no more information from them I know of. My > suggestion still stands. Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#516394: [security]: Rapid DNS Poisoning in dnscache
On Thu, Oct 01, 2009 at 10:28:35PM +0200, Luk Claes wrote: > Any reason why there was no upload for this security issue to unstable yet? Hi, I made my position as the maintainer of the package clear in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516394#36 and some private discussions with the security team. In my opinion the issue is fixed sufficiently in unstable and testing, and the same changes should go into stable. I offered to prepare the packages, but the security team declined http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518169#15 Since then, there's no more information from them I know of. My suggestion still stands. Regards, Gerrit. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#516394: [security]: Rapid DNS Poisoning in dnscache
Hi Any reason why there was no upload for this security issue to unstable yet? Cheers Luk -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#516394: [security]: Rapid DNS Poisoning in dnscache
$ zcat /usr/share/doc/djbdns/NEWS.Debian.gz |head djbdns (1:1.05-6) unstable; urgency=medium CVE-2008-4392 reports 'Rapid DNS Poisoning in dnscache', the dnscache program included in djbdns-1.05. Upstream's comments on this can be read in http://cr.yp.to/djbdns/forgery.html The dbndns package, the Debian fork of djbdns, includes a patch that limits concurrent outgoing SOA queries to 20 instead 200 (MAXUDP) to make birthday attacks more difficult. $ zcat /usr/share/doc/djbdns/changelog.Debian.gz |head djbdns (1:1.05-6) unstable; urgency=medium * dbndns/diff/0004-dnscache.c-allow-a-maximum-of-20-concurrent...diff: new; dnscache.c: allow a maximum of 20 concurrent outgoing SOA queries (#516394). * debian/djbdns.NEWS.Debian: talk about the patch 0004-dnscache.c... being applied to the dbndns package. * debian/dnscache-run.postinst: restart dnscache on package upgrade. * debian/dbndns.README.Debian: document that patches 0003-...diff, 0004-...dif are applied to dbndns. $ -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#516394: [security]: Rapid DNS Poisoning in dnscache
tags 516394 - patch quit On Sat, Feb 21, 2009 at 04:20:14PM +0900, Hideki Yamane (Debian-JP) wrote: > I've found an article about DNS Cache poisoing for dnscache, > and patch is available at his site, see http://www.your.org/dnscache/ > patches are "freely distributed", so we can apply those. > > It was assigned as CVE-2008-4392 Hi, unfortunately the patch has its problems http://thread.gmane.org/gmane.network.djbdns/13705/focus=13868 See http://cr.yp.to/djbdns/forgery.html for upstream's February 2009 comments on this issue. Regards, Gerrit. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Processed: Re: Bug#516394: [security]: Rapid DNS Poisoning in dnscache
Processing commands for cont...@bugs.debian.org: > tags 516394 - patch Bug#516394: [security]: Rapid DNS Poisoning in dnscache Tags were: patch security Tags removed: patch > quit Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#516394: [security]: Rapid DNS Poisoning in dnscache
Package: djbdns Severity: critical Tags: security patch Justification: breaks the whole system Hi, I've found an article about DNS Cache poisoing for dnscache, and patch is available at his site, see http://www.your.org/dnscache/ patches are "freely distributed", so we can apply those. It was assigned as CVE-2008-4392 http://web.nvd.nist.gov/view/vuln/detail;jsessionid=7afcdf51e3392babb80f256628c4?execution=e1s1 Please check above sites and release updated package. Thanks. -- Regards, Hideki Yamane henrich @ debian.or.lp Debian Maintainer/Translator -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
