Ubuntu
pdns-recursor package

[pdns-recursor] [CVE-2008-1637] cache poisoning vulnerability

Bug #214980 reported by disabled.user
260
Affects Status Importance Assigned to Milestone
pdns-recursor (Debian)
Fix Released
Undecided
Unassigned
pdns-recursor (Ubuntu)
Fix Released
Medium
William Grant
Edgy
Won't Fix
Undecided
Unassigned
Feisty
Won't Fix
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Fix Released
Medium
William Grant

Bug Description

Binary package hint: pdns-recursor

References:
DSA-1544-1 (http://www.debian.org/security/2008/dsa-1544)

Quoting:
"Amit Klein discovered that pdns-recursor, a caching DNS resolver, uses a
weak random number generator to create DNS transaction IDs and UDP
source port numbers. As a result, cache poisoning attacks were
simplified."

CVE References

William Grant (wgrant)
Changed in pdns-recursor:
status: New → Fix Released
Revision history for this message
William Grant (wgrant) wrote :

The patch is gigantic, and can be found in 3.1.4-1etch1.

Revision history for this message
Scott Kitterman (kitterman) wrote :

I'd say better to fix it than not for Hardy before release, so ack from motu-release for Hardy.

Changed in pdns-recursor:
importance: Undecided → Medium
status: New → Confirmed
William Grant (wgrant)
Changed in pdns-recursor:
assignee: nobody → fujitsu
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pdns-recursor - 3.1.4-6ubuntu1

---------------
pdns-recursor (3.1.4-6ubuntu1) hardy; urgency=low

  * SECURITY UPDATE: cache poisoning via weak random number generator
    (LP: #214980)
    - Merge changes from 3.1.4-1+etch1:
      + debian/patches/predictable-dns-query.dpatch: Use a stronger RNG. Patch
        from Debian.
      + debian/copyright: Add license of new RNG.
    - References:
      + CVE-2008-1637

 -- William Grant <email address hidden> Sun, 20 Apr 2008 11:10:59 +1000

Changed in pdns-recursor:
status: In Progress → Fix Released
Revision history for this message
Hew (hew) wrote :

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in pdns-recursor:
status: New → Won't Fix
Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in pdns-recursor:
status: New → Won't Fix
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in pdns-recursor (Ubuntu Gutsy):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.