Description
PyDNS (aka python-dns) before 2.3.1-4 in Debian GNU/Linux does not use random source ports or transaction IDs for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447.
Affected products
- Debian / python-dns2.3.1-3
- Debian / python-dns2.3.0-1 – 2.3.0-1
- Debian / python-dns2.3.0-2 – 2.3.0-2
- Debian / python-dns2.3.0-3 – 2.3.0-3
- Debian / python-dns2.3.0-4 – 2.3.0-4
- Debian / python-dns2.3.0-5 – 2.3.0-5
- Debian / python-dns2.3.0-5.1 – 2.3.0-5.1
- Debian / python-dns2.3.0-6 – 2.3.0-6
- Debian / python-dns2.3.1-1 – 2.3.1-1
- Debian / python-dns2.3.1-2 – 2.3.1-2
References
- VENDOR_ADVISORYhttp://packages.debian.org/changelogs/pool/main/p/python-dns/python-dns_2.3.3-1/changelog
- MAILING_LISThttp://www.openwall.com/lists/oss-security/2008/09/11/1
- MAILING_LISThttp://www.openwall.com/lists/oss-security/2008/09/16/4
- VENDOR_ADVISORYhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490217