Python-dns does not randomize TID causing DNS poisoning risk
Bug #247409 reported by
Scott Kitterman
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-source-2.6.15 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Dapper |
Won't Fix
|
High
|
Unassigned | ||
Feisty |
Invalid
|
Undecided
|
Unassigned | ||
Gutsy |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
linux-source-2.6.20 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Dapper |
Invalid
|
Undecided
|
Unassigned | ||
Feisty |
Won't Fix
|
High
|
Unassigned | ||
Gutsy |
Invalid
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
linux-source-2.6.22 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Dapper |
Invalid
|
Undecided
|
Unassigned | ||
Feisty |
Invalid
|
Undecided
|
Unassigned | ||
Gutsy |
Won't Fix
|
High
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
python-dns (Debian) |
Fix Released
|
Unknown
|
|||
python-dns (Ubuntu) |
Fix Released
|
Medium
|
Scott Kitterman | ||
Dapper |
Fix Released
|
Medium
|
Scott Kitterman | ||
Feisty |
Fix Released
|
Medium
|
Scott Kitterman | ||
Gutsy |
Fix Released
|
Medium
|
Scott Kitterman | ||
Hardy |
Fix Released
|
Medium
|
Scott Kitterman |
Bug Description
Binary package hint: python-dns
Ideally one wants to randomize port and TID. Python-dns opens a new socket for each request, so the OS should handle socket randomization. Dapper does not. Hardy does. Do not know about Feisty/Gutsy. Python-dns does not randomize TID. Upstream will release a new version that support that to resolve their part of the problem.
Changed in python-dns: | |
assignee: | nobody → kitterman |
importance: | Undecided → Medium |
status: | New → In Progress |
description: | updated |
Changed in python-dns: | |
importance: | Undecided → Medium |
status: | New → Confirmed |
importance: | Undecided → Medium |
status: | New → Confirmed |
importance: | Undecided → Medium |
status: | New → Confirmed |
Changed in python-dns: | |
importance: | Undecided → Medium |
status: | New → Confirmed |
Changed in linux-source-2.6.15: | |
importance: | Undecided → High |
status: | New → Confirmed |
status: | New → Invalid |
status: | New → Invalid |
status: | New → Invalid |
status: | New → Invalid |
Changed in linux-source-2.6.20: | |
status: | New → Invalid |
status: | New → Invalid |
status: | New → Invalid |
Changed in linux-source-2.6.20: | |
status: | New → Invalid |
Changed in linux-source-2.6.22: | |
status: | New → Invalid |
status: | New → Invalid |
status: | New → Invalid |
Changed in python-dns: | |
status: | Unknown → New |
Changed in python-dns: | |
status: | In Progress → Fix Released |
Changed in python-dns: | |
status: | New → Fix Released |
Changed in python-dns: | |
status: | Fix Committed → Fix Released |
Changed in linux-source-2.6.15: | |
status: | Confirmed → Won't Fix |
Changed in linux-source-2.6.20: | |
status: | Confirmed → Won't Fix |
To post a comment you must log in.
2.6.24 provides port randomization, so it not affected. Once I get a TID randomizing python-dns for Hardy/Intrepid, those releases will have mitigation in place. Still need to check for port randomizatioin in Feisty/Gutsy.