PyDNS (aka python-dns) before 2.3.1-4 in Debian GNU/Linux does not use random source ports or transaction IDs for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Python-dns | Debian | * | 2.3.1-3 (including) |
| Python-dns | Debian | 2.3.0-1 (including) | 2.3.0-1 (including) |
| Python-dns | Debian | 2.3.0-2 (including) | 2.3.0-2 (including) |
| Python-dns | Debian | 2.3.0-3 (including) | 2.3.0-3 (including) |
| Python-dns | Debian | 2.3.0-4 (including) | 2.3.0-4 (including) |
| Python-dns | Debian | 2.3.0-5 (including) | 2.3.0-5 (including) |
| Python-dns | Debian | 2.3.0-5.1 (including) | 2.3.0-5.1 (including) |
| Python-dns | Debian | 2.3.0-6 (including) | 2.3.0-6 (including) |
| Python-dns | Debian | 2.3.1-1 (including) | 2.3.1-1 (including) |
| Python-dns | Debian | 2.3.1-2 (including) | 2.3.1-2 (including) |
| Python-dns | Ubuntu | dapper | * |
| Python-dns | Ubuntu | feisty | * |
| Python-dns | Ubuntu | gutsy | * |
| Python-dns | Ubuntu | hardy | * |
| Python-dns | Ubuntu | upstream | * |
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490217
- http://packages.debian.org/changelogs/pool/main/p/python-dns/python-dns_2.3.3-1/changelog
- http://www.openwall.com/lists/oss-security/2008/09/11/1
- http://www.openwall.com/lists/oss-security/2008/09/16/4
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490217
- http://packages.debian.org/changelogs/pool/main/p/python-dns/python-dns_2.3.3-1/changelog
- http://www.openwall.com/lists/oss-security/2008/09/11/1
- http://www.openwall.com/lists/oss-security/2008/09/16/4