Florian Weimer a écrit : > * brian m. carlson: > >> The glibc stub resolver is vulnerable to CVE-2008-1447, according to DSA >> 1605. Since the vast majority of network-using programs use glibc as a >> resolver, this vulnerability affects virtually any network-using >> program, hence the severity. libc6 should not be released without a fix >> for this problem. >> >> The vulnerability has been exposed: >> >> http://demosthen.es/post/43048623/reliable-dns-forgery-in-2008 > > I fail to see how this attack has a chance to work against non-caching > stub resolvers like the GNU libc resolver. > > However, we're working on a solution.
As already said previously on this bug log, I don't think there is something to do for the glibc resolver. glibc stub resolver uses an unspecified UDP port, so it is eventually chosen by the kernel. As a consequence this has to be handled in the kernel, and is already fixed in kernel >= 2.6.24 [1]. tcpdump show that using a >= 2.6.24 kernel (lenny kernel), the ports are correctly randomized. With a 2.6.18 kernel (etch kernel), the ports *are* not randomized. IMHO, the UDP randomization commit has to be backported to the etch kernel. The advantage of this solution, is that it potentially fixes other bugs/vulnerabilities in other protocols/programs using UDP. Cheers, Aurelien [1] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30 -- .''`. Aurelien Jarno | GPG: 1024D/F1BCDB73 : :' : Debian developer | Electrical Engineer `. `' [EMAIL PROTECTED] | [EMAIL PROTECTED] `- people.debian.org/~aurel32 | www.aurel32.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
