1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resol

    From Florian Weimer@1:229/2 to All on Tue Jul 8 19:40:10 2008
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------ Debian Security Advisory DSA-1605-1 [email protected] http://www.debian.org/security/ Florian Weimer
    July 08, 2008 http://www.debian.org/security/faq
    - ------------------------------------------------------------------------

    Package : glibc
    Vulnerability : DNS cache poisoning
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1447
    CERT advisory : VU#800113


    Dan Kaminsky discovered that properties inherent to the DNS protocol
    lead to practical DNS spoofing and cache poisoning attacks. Among
    other things, successful attacks can lead to misdirected web traffic
    and email rerouting.

    At this time, it is not possible to implement the recommended
    countermeasures in the GNU libc stub resolver. The following
    workarounds are available:

    1. Install a local BIND 9 resoler on the host, possibly in
    forward-only mode. BIND 9 will then use source port randomization
    when sending queries over the network. (Other caching resolvers can
    be used instead.)

    2. Rely on IP address spoofing protection if available. Successful
    attacks must spoof the address of one of the resolvers, which may not
    be possible if the network is guarded properly against IP spoofing
    attacks (both from internal and external sources).

    This DSA will be updated when patches for hardening the stub resolver
    are available.

    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: [email protected]
    Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iQEVAwUBSHOIFr97/wQC1SS+AQIscwf+KBKMT4hcpB5TCNE+0v1DNBHiQ4rh7ktz KiOyLWEJOaxOrpsR8siA6B6newiLe5KfwojDikqSCXbubTCeicj79HTCx5DzzhTm aa3HePARxmtN1AuyFCebOfklibTtyY/gpwydCdAVBiV0+LmD+jXy9Jx4AfyuibXZ VaqkUTj5sUUQn5CacdI1zc1Ky1rzbzRBBoNJ1D1rRBU1wjoGsvVjBV9p24j/1E2c mYtbY3g1FKmhnOTLBac/AAW62ZQ44yf4QcGgwV8CULfi5c2QmGiRYZioWDVd0pfZ hr2h/Vmjs2qgf8B9FmYet0hEGm6SrEryT2ievlqXkpul0MYtHjJ5iw==
    =CMHb
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)