Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 231335 - net-dns/pdns-recursor <3.1.6 Weak random source port selection (CVE-2008-3217)
Summary: net-dns/pdns-recursor <3.1.6 Weak random source port selection (CVE-2008-3217)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa errata]
Depends on:
Reported: 2008-07-09 20:23 UTC by Robert Buchholz (RETIRED)
Modified: 2008-08-21 15:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-07-09 20:23:29 UTC
Quoting $URL:
      The new high-quality random generator was not used for all random numbers, especially in source port selection. This means that 3.1.5 is still a lot more secure than 3.1.4 was, and its algorithms more secure than most other nameservers, but it also means 3.1.5 is not as secure as it could be. A quick upgrade is recommended. Discovered by Thomas Biege of Novell (SUSE), fixed in commit 1179.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-07-09 20:24:30 UTC
Arches, please test and mark stable:
Target keywords : "amd64 x86"
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2008-07-10 08:08:38 UTC
x86 stable
Comment 3 Markus Meier gentoo-dev 2008-08-04 19:05:25 UTC
amd64 stable, all arches done.
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-08-05 14:51:23 UTC
I would vote Yes like we previously did on other cache-poisoning vulnerabilities.

refer to GLSA 200804-22
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-08-15 15:19:07 UTC
YES, request filed
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 23:05:19 UTC
This should be an erratum as it was reported fixed by bug #215567 / GLSA 200804-22.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-08-21 15:43:44 UTC
update sent.