*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: bind9 Debian issued three security advisories related to the possibility of DNS cache poisoning in Bind 9 (DSA-1603), Bind 8 (DSA-1604) and the libc stub resolver (DSA-1605). Here is the description of the problem with Bind 9 from DSA-1603-1: "Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting. This update changes Debian's BIND 9 packages to implement the recommended countermeasure: UDP query source port randomization. This change increases the size of the space from which an attacker has to guess values in a backwards-compatible fashion and makes successful attacks significantly more difficult." [...] "Other caching resolvers distributed by Debian (PowerDNS, MaraDNS, Unbound) already employ source port randomization, and no updated packages are needed. BIND 9.5 up to and including version 1:9.5.0.dfsg-4 only implements a weak form of source port randomization and needs to be updated as well. For information on BIND 8, see DSA-1604-1, and for the status of the libc stub resolver, see DSA-1605-1." As described in DSA-1605-1, glibc stub resolver hasn't been updated yet and is still vulnerable. The advisory suggests to install a local Bind 9 resolver, possibly in forward-only mode, as a work-around. So this bug in package glibc is a request to make the stub resolver randomize source ports as well because non-technical Ubuntu users can't be expected to configure Bind 9 on their own. References DSA-1603-1: http://lists.debian.org/debian-security-announce/2008/msg00184.html http://www.debian.org/security/2008/dsa-1603 DSA-1604-1: http://lists.debian.org/debian-security-announce/2008/msg00185.html http://www.debian.org/security/2008/dsa-1604 DSA-1605-1: http://lists.debian.org/debian-security-announce/2008/msg00186.html http://www.debian.org/security/2008/dsa-1605 ** Affects: bind9 (Ubuntu) Importance: Undecided Status: New ** Affects: glibc (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1447 ** Also affects: glibc (Ubuntu) Importance: Undecided Status: New -- [CVE-2008-1447] Randomize DNS query source ports to prevent cache poisoning https://bugs.launchpad.net/bugs/246702 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
