[Bug 246702] Re: [CVE-2008-1447] Randomize DNS query source ports to prevent cache poisoning

Marc Deslauriers marc.deslauriers at canonical.com
Thu Mar 26 16:59:41 UTC 2015 

This is fixed in all currently-supported versions of Ubuntu.

** Changed in: glibc (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/246702

Title:
  [CVE-2008-1447] Randomize DNS query source ports to prevent cache
  poisoning

Status in bind9 package in Ubuntu:
  Fix Released
Status in glibc package in Ubuntu:
  Fix Released

Bug description:
  Binary package hint: bind9

  Debian issued three security advisories related to the possibility of
  DNS cache poisoning in Bind 9 (DSA-1603), Bind 8 (DSA-1604) and the
  libc stub resolver (DSA-1605).

  Here is the description of the problem with Bind 9 from DSA-1603-1:

  "Dan Kaminsky discovered that properties inherent to the DNS protocol
  lead to practical DNS cache poisoning attacks.  Among other things,
  successful attacks can lead to misdirected web traffic and email
  rerouting.

  This update changes Debian's BIND 9 packages to implement the
  recommended countermeasure: UDP query source port randomization.  This
  change increases the size of the space from which an attacker has to
  guess values in a backwards-compatible fashion and makes successful
  attacks significantly more difficult."

  [...]

  "Other caching resolvers distributed by Debian (PowerDNS, MaraDNS,
  Unbound) already employ source port randomization, and no updated
  packages are needed.  BIND 9.5 up to and including version
  1:9.5.0.dfsg-4 only implements a weak form of source port
  randomization and needs to be updated as well.  For information on
  BIND 8, see DSA-1604-1, and for the status of the libc stub resolver,
  see DSA-1605-1."

  As described in DSA-1605-1, glibc stub resolver hasn't been updated
  yet and is still vulnerable. The advisory suggests to install a local
  Bind 9 resolver, possibly in forward-only mode, as a work-around. So
  this bug in package glibc is a request to make the stub resolver
  randomize source ports as well because non-technical Ubuntu users
  can't be expected to configure Bind 9 on their own.

  References

  DSA-1603-1:
  http://lists.debian.org/debian-security-announce/2008/msg00184.html
  http://www.debian.org/security/2008/dsa-1603

  DSA-1604-1:
  http://lists.debian.org/debian-security-announce/2008/msg00185.html
  http://www.debian.org/security/2008/dsa-1604

  DSA-1605-1:
  http://lists.debian.org/debian-security-announce/2008/msg00186.html
  http://www.debian.org/security/2008/dsa-1605

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/246702/+subscriptions

More information about the foundations-bugs mailing list