Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver

To: debian-security@lists.debian.org
Subject: Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
From: "Vincent Deffontaines" <vincent@gryzor.com>
Date: Wed, 13 Aug 2008 13:48:39 +0200 (CEST)
Message-id: <[🔎] 3735.80.13.1.6.1218628119.squirrel@ssl.ombos.raceme.org>
In-reply-to: <[🔎] 20080813100212.GE10437@linuxmafia.com>
References: <87myks4886.fsf@mid.deneb.enyo.de> <487436AF.70707@glimmer.demon.co.uk> <[🔎] 20080810221923.8ff52718.henrich@debian.or.jp> <[🔎] 87d4kgiqau.fsf@mid.deneb.enyo.de> <[🔎] 20080811094339.a522a1c3.henrich@debian.or.jp> <[🔎] slrnga0tft.3b1.jmm@inutil.org> <[🔎] 2056.80.13.1.6.1218620468.squirrel@ssl.ombos.raceme.org> <[🔎] 20080813100212.GE10437@linuxmafia.com>

Rick Moen a écrit :
> Quoting Vincent Deffontaines (vincent@gryzor.com):
>
>> And the Linux kernel (Netfilter) implements NAT source port
>> randomization
>> since 2.6.21, which can make it a conveninent way to protect your natted
>> hosts without any patching.
>>
>> See http://software.inl.fr/trac/wiki/contribs/RandomSkype for details.
>
> I believe this works on UDP traffic only starting with 2.6.24.  See:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30
> http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24
>

No I confirm NAT source port randomization was included in 2.6.21 as far
as Netfilter NAT is concerned.
Commit is :
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=41f4689a7c8cd76b77864461b3c58fde8f322b2c

The 2.6.24 commit is Linux network stack, not Netfilter.


Vincent


-- 
On sait qu'une cité va devenir grande quand on y voit les anciens planter
des arbres, alors qu'ils savent qu'ils ne profiteront jamais de leur
ombre.

Proverbe Grec

Reply to:

Follow-Ups:
- Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: Rick Moen <rick@linuxmafia.com>

References:
- Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: Hideki Yamane <henrich@debian.or.jp>
- Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: Hideki Yamane <henrich@debian.or.jp>
- Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: "Vincent Deffontaines" <vincent@gryzor.com>
- Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
  - From: Rick Moen <rick@linuxmafia.com>

Prev by Date: Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Next by Date: Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Previous by thread: Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Next by thread: Re: [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
Index(es):
- Date
- Thread