Gentoo Bug 231335 - net-dns/pdns-recursor <3.1.6 Weak random source port selection (CVE-2008-3217)

First Last Prev Next No search results available Search page Enter new bug

Bug#:	231335
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 231335 depends on:			Show dependency tree
Bug 231335 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-07-09 20:23 0000

Quoting $URL:
      The new high-quality random generator was not used for all random
numbers, especially in source port selection. This means that 3.1.5 is still a
lot more secure than 3.1.4 was, and its algorithms more secure than most other
nameservers, but it also means 3.1.5 is not as secure as it could be. A quick
upgrade is recommended. Discovered by Thomas Biege of Novell (SUSE), fixed in
commit 1179. 

http://wiki.powerdns.com/projects/trac/changeset/1179

------- Comment #1 From Robert Buchholz 2008-07-09 20:24:30 0000 -------

Arches, please test and mark stable:
=net-dns/pdns-recursor-3.1.6
Target keywords : "amd64 x86"

------- Comment #2 From Christian Faulhammer 2008-07-10 08:08:38 0000 -------

x86 stable

------- Comment #3 From Markus Meier 2008-08-04 19:05:25 0000 -------

amd64 stable, all arches done.

------- Comment #4 From Raphael Marichez 2008-08-05 14:51:23 0000 -------

I would vote Yes like we previously did on other cache-poisoning
vulnerabilities.

refer to GLSA 200804-22

------- Comment #5 From Robert Buchholz 2008-08-15 15:19:07 0000 -------

YES, request filed

------- Comment #6 From Robert Buchholz 2008-08-19 23:05:19 0000 -------

This should be an erratum as it was reported fixed by bug #215567 / GLSA
200804-22.

------- Comment #7 From Robert Buchholz 2008-08-21 15:43:44 0000 -------

update sent.

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 231335

net-dns/pdns-recursor <3.1.6 Weak random source port selection (CVE-2008-3217)

Last modified: 2008-08-21 15:43:44 0000