oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS vulnerability: other relevant software

From: Eugene Teo <eteo () redhat com>
Date: Thu, 10 Jul 2008 13:19:14 +0800
Mark J Cox wrote:

Additionally, Debian has noted (DSA 1605-1) that the GNU libc stub
resolver could benefit from random query source ports as well, but
no patches are currently available to implement this:


Note that GNU libc stub resolver when used with a recent kernel
(2.6.24+) will give you random UDP source ports on each request because
of this Linux commit:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30


Vendors may with to consider backporting that kernel patch as an
effective mitigation without requiring glibc changes (and with the
advantage of being able to be have a customized range using
ip_local_port_range etc)


I have backported the kernel patch to apply cleanly to various versions
of Red Hat Enterprise Linux kernels. Vendors interested in the patch can
find it at:

https://bugzilla.redhat.com/show_bug.cgi?id=454566

Thanks, Eugene
-- 
Eugene Teo / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: