[Python-modules-team] Bug#492465: python-dnspython: appears to be vulnerable to cache poisoning attack CVE-2008-1447
Santiago Ruano Rincón
santiagorr at riseup.net
Wed Oct 23 23:23:23 BST 2024
El 22/10/24 a las 00:05, Bob Halley escribió:
> This is a blast from the past; 2008 is a LONG time ago!
Indeed! :-)
> It should be fine, as of 1.7 since the entropy pool added then would help with query id randomness. Newer dnspython releases use the system's randomness source via python APIs instead of the dnspython entropy pool if possible, so should be even better. Also dnspython creates a new socket for every query, so there will be port randomization from the OS most likely as well. Finally, dnspython doesn't cache by default, and even if its optional caching features are enabled, the nature of the way it caches does not leave it susceptible to the Kaminsky style attacks. Also it is probably harder for an attacker to send a giant stream of queries through dnspython than it is to send them to an ISP in most things that use dnspython.
Thanks a lot for your answer.
Given the above, ff there are no objections, I would close this bug with
Version: 1.7.1-.
Dear security team, would you agree with changing this in the security
tracker?
diff --git a/data/CVE/list b/data/CVE/list
index cc75787c27..761c635a98 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -714267,7 +714267,7 @@ CVE-2008-1447 (The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0
- refpolicy 2:0.0.20080702-1
- pdnsd 1.2.6-par-11 (bug #502275)
- python-dns 2.3.1-5 (low; bug #490217)
- - dnspython <unfixed> (unimportant; bug #492465)
+ - dnspython 1.7.1-1 (unimportant; bug #492465)
NOTE: Just a stub resolver Linux kernel provides source port randomisation
- adns 1.4-2 (unimportant; bug #492698)
NOTE: adns is not suitable to use with untrusted responses, documented in README.Debian
> /Bob
>
>
> > On Oct 21, 2024, at 12:33, Santiago Ruano Rincón <santiagorr at riseup.net> wrote:
> >
> > El 29/07/08 a las 17:28, Bob Halley escribió:
> >>
> >> On 28 Jul 2008, at 09:50, Robert Edmonds wrote:
> >>
> >>> [ i am CC'ing the upstream author, Bob Halley. Bob, are you planning a
> >>> fix to bring dnspython in line with forgery-resilience? ]
> >>
> >> I haven't been rushing to make a fix because dnspython is a stub resolver
> >> (typically cacheless) and is thus not likely a profitable target.
> >>
> >> Having said that, I would like to strengthen it, but it will take a little
> >> time since I'd like to improve the quality of the randomness as well.
> >> Python's random() function is based on the Mersenne Twister, which is not
> >> cryptographically strong. What's the timeframe for lenny?
> >
> > Hello Bob,
> >
> > While reviewing some bugs in Debian, I found this long-standing issue
> > about dnspython and CVE-2008-1447 ("the Kaminsky bug"):
> > https://bugs.debian.org/492465, and I wonder what is the current actual
> > status.
> >
> > I see this as part of the changes introduced by 1.7.0 in 2009:
> >
> > An entropy module has been added and is used to randomize query ids.
> >
> > Could it be considered then safe to state that #492465 is fixed? If yes,
> > would it be from 1.7.0 (actually 1.7.1-1 in Debian) version?
> >
> > Best regards,
> >
> > -- Santiago
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/python-modules-team/attachments/20241023/bebcfbd9/attachment.sig>
More information about the Python-modules-team
mailing list