[Python-modules-team] Bug#492465: python-dnspython: appears to be vulnerable to cache poisoning attack CVE-2008-1447
Moritz Mühlenhoff
jmm at inutil.org
Fri Oct 25 14:05:07 BST 2024
Am Wed, Oct 23, 2024 at 07:23:23PM -0300 schrieb Santiago Ruano Rincón:
> El 22/10/24 a las 00:05, Bob Halley escribió:
> > This is a blast from the past; 2008 is a LONG time ago!
>
> Indeed! :-)
>
> > It should be fine, as of 1.7 since the entropy pool added then would help with query id randomness. Newer dnspython releases use the system's randomness source via python APIs instead of the dnspython entropy pool if possible, so should be even better. Also dnspython creates a new socket for every query, so there will be port randomization from the OS most likely as well. Finally, dnspython doesn't cache by default, and even if its optional caching features are enabled, the nature of the way it caches does not leave it susceptible to the Kaminsky style attacks. Also it is probably harder for an attacker to send a giant stream of queries through dnspython than it is to send them to an ISP in most things that use dnspython.
>
> Thanks a lot for your answer.
>
> Given the above, ff there are no objections, I would close this bug with
> Version: 1.7.1-.
>
> Dear security team, would you agree with changing this in the security
> tracker?
Looks good.
Cheers,
Moritz
More information about the Python-modules-team
mailing list