oss-sec mailing list archives
Re: CVE Request (ruby -- DNS spoofing vulnerability in resolv.rb)
From: "Steven M. Christey" <coley () linus mitre org>
Date: Mon, 15 Sep 2008 20:59:40 -0400 (EDT)
On Thu, 11 Sep 2008, Tomas Hoger wrote:
We're treating this as a distinct issue because this is *REALLY* bad randomness within a particular implementation, besides the inherent limitation of DNS when source ports are fixed.Applying this rule, separate id should probably be used for PyDNS [1] [2] and adns [3] as well, at they both suffer from the similar flaws - use predictable transactions ids and source port.
CVE-2008-4099 - PyDNS CVE-2008-4100 - adns - Steve
Current thread:
- CVE Request (ruby -- DNS spoofing vulnerability in resolv.rb) Jan Lieskovsky (Sep 03)
- Re: CVE Request (ruby -- DNS spoofing vulnerability in resolv.rb) Steven M. Christey (Sep 04)
- Re: CVE Request (ruby -- DNS spoofing vulnerability in resolv.rb) Tomas Hoger (Sep 11)
- Re: CVE Request (ruby -- DNS spoofing vulnerability in resolv.rb) Steven M. Christey (Sep 15)
- Re: CVE Request (ruby -- DNS spoofing vulnerability in resolv.rb) Tomas Hoger (Sep 11)
- Re: CVE Request (ruby -- DNS spoofing vulnerability in resolv.rb) Steven M. Christey (Sep 04)