[Python-modules-team] Bug#492465: python-dnspython: appears to be vulnerable to cache poisoning attack CVE-2008-1447
Santiago Ruano Rincón
santiagorr at riseup.net
Mon Oct 21 20:33:56 BST 2024
El 29/07/08 a las 17:28, Bob Halley escribió:
>
> On 28 Jul 2008, at 09:50, Robert Edmonds wrote:
>
> > [ i am CC'ing the upstream author, Bob Halley. Bob, are you planning a
> > fix to bring dnspython in line with forgery-resilience? ]
>
> I haven't been rushing to make a fix because dnspython is a stub resolver
> (typically cacheless) and is thus not likely a profitable target.
>
> Having said that, I would like to strengthen it, but it will take a little
> time since I'd like to improve the quality of the randomness as well.
> Python's random() function is based on the Mersenne Twister, which is not
> cryptographically strong. What's the timeframe for lenny?
Hello Bob,
While reviewing some bugs in Debian, I found this long-standing issue
about dnspython and CVE-2008-1447 ("the Kaminsky bug"):
https://bugs.debian.org/492465, and I wonder what is the current actual
status.
I see this as part of the changes introduced by 1.7.0 in 2009:
An entropy module has been added and is used to randomize query ids.
Could it be considered then safe to state that #492465 is fixed? If yes,
would it be from 1.7.0 (actually 1.7.1-1 in Debian) version?
Best regards,
-- Santiago
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20241021/588cffa1/attachment.sig>
More information about the Python-modules-team
mailing list