*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: pdns-recursor http://doc.powerdns.com/powerdns-advisory-2008-01.html It is recommended that all users of the PowerDNS Recursor upgrade to 3.1.5 as soon as practicable, while we simultaneously note that busy servers are less susceptible to the attack, but not immune. The vulnerability is present on all operating systems where the behaviour of the libc random() function can be predicted based on its past output. This includes at least all known versions of Linux, as well as Microsoft Windows, and probably FreeBSD and Solaris. The magnitude of this vulnerability depends on internal details of the system random() generator. For Linux, the mathematics of the random generator are complex, but well understood and Amit Klein has written and published a proof of concept that can succesfully predict its output after uninterrupted observation of 40-50 DNS queries. Because the observation needs to be uninterrupted, busy PowerDNS Recursor instances are harder to subvert - other data is highly likely to be interleaved with traffic generated by an attacker. Nevertheless, operators are urged to update at their earliest convenience. ** Affects: pdns-recursor (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public -- Spoofing-vulnerability in pdns-recursor https://bugs.launchpad.net/bugs/209638 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
