oss-sec mailing list archives

Re: DNS vulnerability: other relevant software

From: Mark J Cox <mjc () redhat com>
Date: Wed, 9 Jul 2008 14:36:10 +0100 (BST)

Additionally, Debian has noted (DSA 1605-1) that the GNU libc stub
resolver could benefit from random query source ports as well, but
no patches are currently available to implement this:

Note that GNU libc stub resolver when used with a recent kernel (2.6.24+)will give you random UDP source ports on each request because of thisLinux commit:


http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30

Vendors may with to consider backporting that kernel patch as an effectivemitigation without requiring glibc changes (and with the advantage ofbeing able to be have a customized range using ip_local_port_range etc)


Cheers, Mark

Current thread:

DNS vulnerability: other relevant software Matthias Geerdsen (Jul 09)
- Re: DNS vulnerability: other relevant software The Fungi (Jul 09)
  - Re: DNS vulnerability: other relevant software Mark J Cox (Jul 09)
    - Re: DNS vulnerability: other relevant software Florian Weimer (Jul 09)
    - Re: DNS vulnerability: other relevant software Eugene Teo (Jul 09)
    - Re: DNS vulnerability: other relevant software Eugene Teo (Jul 09)
    - Re: DNS vulnerability: other relevant software Eugene Teo (Jul 10)
    - Re: DNS vulnerability: other relevant software Nathanael Hoyle (Jul 10)
    - Re: DNS vulnerability: other relevant software Bernhard R. Link (Jul 11)
    - Re: DNS vulnerability: other relevant software Nathanael Hoyle (Jul 11)
    - Re: DNS vulnerability: other relevant software Florian Weimer (Jul 13)
    - Re: DNS vulnerability: other relevant software Florian Weimer (Jul 12)
    - Re: DNS vulnerability: other relevant software Eugene Teo (Jul 09)

(Thread continues...)