On Tue, Jul 22, 2008 at 03:24:06PM +0000, Florian Weimer wrote: > * Aurelien Jarno: > > >> Currently, there is no suitable patch to backport. I hope that improved > >> port randomization will be available shortly. > > > > You mean a patch for the kernel? > > Yes, one for the kernel, and one for the transaction ID generation in > the libc resolver, too. > > (Oh, and "shortly" == "next week or so".) Assuming the TID generator for the glibc is "good enough" and that the flaw is the one described in [0], then the glibc code (even nscd) isn't vulnerable, because it doesn't cache or even look at the additional records. The problems with QID randomization are quite orthogonal, and it's a problem known for 20 years now (using last QID+1 isn't really an option ;p). Having a better random number generator will probably help, but quite doesn't require such a severity (as there is already randomization of the QIDs, maybe not a perfect one). So unless you have further non yet disclosed informations, I'd suggest reconsidering the DSA. [0] http://blogs.buanzo.com.ar/2008/07/matasano-kaminsky-dns-forgery.html -- ·O· Pierre Habouzit ··O madcoder@debian.org OOO http://www.madism.org
Attachment:
pgp9DrIqqg8y0.pgp
Description: PGP signature