1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200804-22 / pdns-recursor |
| Release Date | April 18, 2008 |
| Latest Revision | August 21, 2008: 03 |
| Impact | normal |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| net-dns/pdns-recursor | < 3.1.6 | >= 3.1.6 | All supported architectures |
Related bugreports: #215567, #231335
Use of insufficient randomness in PowerDNS Recursor might lead to DNS cache poisoning.
The PowerDNS Recursor is an advanced recursing nameserver.
Amit Klein of Trusteer reported that insufficient randomness is used to calculate the TRXID values and the UDP source port numbers (CVE-2008-1637). Thomas Biege of SUSE pointed out that a prior fix to resolve this issue was incomplete, as it did not always enable the stronger random number generator for source port selection (CVE-2008-3217).
A remote attacker could send malicious answers to insert arbitrary DNS data into the cache. These attacks would in turn help an attacker to perform man-in-the-middle and site impersonation attacks.
There is no known workaround at this time.
All PowerDNS Recursor users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose ">=net-dns/pdns-recursor-3.1.6" |