[Python-modules-team] Bug#492465: python-dnspython: appears to be vulnerable to cache poisoning attack CVE-2008-1447
Bob Halley
halley at play-bow.org
Tue Oct 22 01:05:28 BST 2024
This is a blast from the past; 2008 is a LONG time ago!
It should be fine, as of 1.7 since the entropy pool added then would help with query id randomness. Newer dnspython releases use the system's randomness source via python APIs instead of the dnspython entropy pool if possible, so should be even better. Also dnspython creates a new socket for every query, so there will be port randomization from the OS most likely as well. Finally, dnspython doesn't cache by default, and even if its optional caching features are enabled, the nature of the way it caches does not leave it susceptible to the Kaminsky style attacks. Also it is probably harder for an attacker to send a giant stream of queries through dnspython than it is to send them to an ISP in most things that use dnspython.
/Bob
> On Oct 21, 2024, at 12:33, Santiago Ruano Rincón <santiagorr at riseup.net> wrote:
>
> El 29/07/08 a las 17:28, Bob Halley escribió:
>>
>> On 28 Jul 2008, at 09:50, Robert Edmonds wrote:
>>
>>> [ i am CC'ing the upstream author, Bob Halley. Bob, are you planning a
>>> fix to bring dnspython in line with forgery-resilience? ]
>>
>> I haven't been rushing to make a fix because dnspython is a stub resolver
>> (typically cacheless) and is thus not likely a profitable target.
>>
>> Having said that, I would like to strengthen it, but it will take a little
>> time since I'd like to improve the quality of the randomness as well.
>> Python's random() function is based on the Mersenne Twister, which is not
>> cryptographically strong. What's the timeframe for lenny?
>
> Hello Bob,
>
> While reviewing some bugs in Debian, I found this long-standing issue
> about dnspython and CVE-2008-1447 ("the Kaminsky bug"):
> https://bugs.debian.org/492465, and I wonder what is the current actual
> status.
>
> I see this as part of the changes introduced by 1.7.0 in 2009:
>
> An entropy module has been added and is used to randomize query ids.
>
> Could it be considered then safe to state that #492465 is fixed? If yes,
> would it be from 1.7.0 (actually 1.7.1-1 in Debian) version?
>
> Best regards,
>
> -- Santiago
More information about the Python-modules-team
mailing list