Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 231335 - net-dns/pdns-recursor <3.1.6 Weak random source port selection (CVE-2008-3217)
Summary: net-dns/pdns-recursor <3.1.6 Weak random source port selection (CVE-2008-3217)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://doc.powerdns.com/changelog.htm...
Whiteboard: B3 [glsa errata]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-07-09 20:23 UTC by Robert Buchholz (RETIRED)
Modified: 2008-08-21 15:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-07-09 20:23:29 UTC 
Quoting $URL:
      The new high-quality random generator was not used for all random numbers, especially in source port selection. This means that 3.1.5 is still a lot more secure than 3.1.4 was, and its algorithms more secure than most other nameservers, but it also means 3.1.5 is not as secure as it could be. A quick upgrade is recommended. Discovered by Thomas Biege of Novell (SUSE), fixed in commit 1179. 

http://wiki.powerdns.com/projects/trac/changeset/1179
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-07-09 20:24:30 UTC 
Arches, please test and mark stable:
=net-dns/pdns-recursor-3.1.6
Target keywords : "amd64 x86"
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2008-07-10 08:08:38 UTC 
x86 stable
Comment 3 Markus Meier gentoo-dev 2008-08-04 19:05:25 UTC 
amd64 stable, all arches done.
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-08-05 14:51:23 UTC 
I would vote Yes like we previously did on other cache-poisoning vulnerabilities.

refer to GLSA 200804-22
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-08-15 15:19:07 UTC 
YES, request filed
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 23:05:19 UTC 
This should be an erratum as it was reported fixed by bug #215567 / GLSA 200804-22.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-08-21 15:43:44 UTC 
update sent.