Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 238118 (CVE-2008-4099) - dev-python/pydns <2.3.3 Insufficient randomness in transaction ID / source port (CVE-2008-{4099,4126})
Summary: dev-python/pydns <2.3.3 Insufficient randomness in transaction ID / source po...
Status: RESOLVED FIXED
Alias: CVE-2008-4099
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-19 15:16 UTC by Robert Buchholz (RETIRED)
Modified: 2009-01-15 12:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-09-19 15:16:25 UTC
CVE-2008-4099 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4099):
  PyDNS (aka python-dns) before 2.3.1-4 in Debian GNU/Linux does not
  use random source ports or transaction IDs for DNS requests, which
  makes it easier for remote attackers to spoof DNS responses, a
  different vulnerability than CVE-2008-1447.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-09-19 15:28:00 UTC
CVE-2008-4126 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4126):
  PyDNS (aka python-dns) before 2.3.1-5 in Debian GNU/Linux does not
  use random source ports for DNS requests and does not use random
  transaction IDs for DNS retries, which makes it easier for remote
  attackers to spoof DNS responses, a different vulnerability than
  CVE-2008-1447.  NOTE: this vulnerability exists because of an
  incomplete fix for CVE-2008-4099.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-09-19 15:51:11 UTC
different bug than 233217
Comment 3 Hanno Böck gentoo-dev 2009-01-15 10:47:10 UTC
According to the debian bug, this should be fixed with 2.3.2. As we have 2.3.3 in portage, we should be fine?
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-01-15 12:10:50 UTC
Confirmed:
http://pydns.cvs.sourceforge.net/viewvc/pydns/pydns/DNS/Base.py?view=log#rev1.14

sbriesen, please leave a note on open security bugs when you do a bump, we can't follow every upstream release we have bugs for. Thanks!