Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]

To: Pierre Habouzit <madcoder@debian.org>
Cc: 491809@bugs.debian.org, Aurelien Jarno <aurelien@aurel32.net>, "brian m. carlson" <sandals@crustytoothpaste.ath.cx>, control@bugs.debian.org
Subject: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 26 Jul 2008 00:06:01 +0200
Message-id: <[🔎] 87d4l1r54m.fsf@mid.deneb.enyo.de>
Reply-to: Florian Weimer <fw@deneb.enyo.de>, 491809@bugs.debian.org
In-reply-to: <20080723142649.GD20614@artemis.madism.org> (Pierre Habouzit's message of "Wed, 23 Jul 2008 16:26:49 +0200")
References: <[🔎] 20080722001613.GA28684@crustytoothpaste.ath.cx> <[🔎] 871w1mmgmc.fsf@mid.deneb.enyo.de> <[🔎] 4885F632.80605@aurel32.net> <[🔎] 87ljzu9cn3.fsf@mid.deneb.enyo.de> <[🔎] 4885FAD1.50306@aurel32.net> <[🔎] 87d4l69c2x.fsf@mid.deneb.enyo.de> <[🔎] 20080722160213.GC15532@artemis.madism.org> <20080723142649.GD20614@artemis.madism.org>

reopen 491809
thanks

* Pierre Habouzit:

>   Kaminsky agrees confirm the issue, so I can say for sure that the
> glibc isn't vulnerable to the attack he describes, as it needs a
> resolver that caches additionnal RRs, which the glibc doesn't do.

>   As of attacks that would use non randomized source port use, this is
> addressed by recent kernels hence is fixed enough.

I've trouble parsing what you wrote.

Based on information provided at the DNS summit, I do think we should
harden the glibc stub resolver.

Reply to:

Follow-Ups:
- Processed: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
  - From: Pierre Habouzit <madcoder@debian.org>

References:
- Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
  - From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
- Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
  - From: Florian Weimer <fw@deneb.enyo.de>
- Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
  - From: Aurelien Jarno <aurelien@aurel32.net>
- Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
  - From: Florian Weimer <fw@deneb.enyo.de>
- Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
  - From: Aurelien Jarno <aurelien@aurel32.net>
- Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
  - From: Florian Weimer <fw@deneb.enyo.de>
- Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
  - From: Pierre Habouzit <madcoder@debian.org>

Prev by Date: Processed: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Next by Date: Processed: Bug forwarded upstream
Previous by thread: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Next by thread: Processed: Re: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Index(es):
- Date
- Thread