CVE-2008-4100 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4100): GNU adns 1.4 and earlier uses a fixed source port and sequential transaction IDs for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447. NOTE: the vendor reports that this is intended behavior and is compatible with the product's intended role in a trusted environment.
adns-1.4 there and stable - bug 213740
vote: YES
Yes, too. Request filed.
wait, this was wrong. The bug is not fixed in 1.4, and according to upstreams statements[0] it will not be fixed within adns. Users will have to make sure that that adns is used against a nameserver in a trusted network. However, I am not sure if this is the case with all applications using adns: http://tinderbox.dev.gentoo.org/misc/rindex/net-libs/adns [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492698
dragonheard, coldwind -- you guys seem to use adns. Its INSTALL file contains this notice, and I think we need to either display it an ewarn, install it as some README.SECURITY file, or remove the package. SECURITY AND PERFORMANCE - AN IMPORTANT NOTE adns is not a `full-service resolver': it does no caching of responses at all, and has no defence against bad nameservers or fake packets which appear to come from your real nameservers. It relies on the full-service resolvers listed in resolv.conf to handle these tasks. For secure and reasonable operation you MUST run a full-service nameserver on the same system as your adns applications, or on the same local, fully trusted network. You MUST only list such nameservers in the adns configuration (eg resolv.conf). ...
nice pickup Robert. ewarnings and README.security installed.
Do we really want to issue a glsa about this after all? It has a pending draft, but since it's not really fixed and the ewarn clearly mentions it, I would say no.
I think it is ok that way. No, too. Feel free to reopen if you think otherwise.
