oss-sec mailing list archives
Re: CVE Request New-djbdns: dnscache: potential cache poisoning
From: cve-assign () mitre org
Date: Wed, 19 Feb 2014 17:11:15 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://00f.net/2012/06/26/dnscache-poisoning-and-siphash/ https://github.com/pjps/ndjbdns/commit/16cb625eccbd68045737729792f09b4945a4b508
This issue (or, in particular, its fix) is probably best considered a security improvement, with no CVE assignment. As far as we can tell, the code was attempting to implement and use djb33, and did actually implement and use djb33 without a "software mistake" in the traditional sense. Yes, we realize that there's a potentially important and potentially simple attack possibility that could have been avoided by not choosing djb33. That's not sufficient, however. Also, in this case, some aspects of making a better choice (e.g., with sufficiently fast and auditable pseudorandom hashing code) were probably not even understood in the research community at the time the software was originally written. CVE does, as a secondary form of inclusion, cover vulnerability advisories from a vendor who was the original author of a piece of software and publishes a change as a required security update. That is unlikely here; nobody is anticipating djbdns-1.06. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTBSr/AAoJEKllVAevmvmslOcH/2B+Q7ZkFkn9thNarntNHzCF XNL5RXHb5vV5XA8KGdIrlzjFg5AisdUqQ+h+AzmWDrEHedm9jpuHkSBlH6iYvxFH s0wfbeP0T5kWHe//OHdniuQbVXGGztF1qKeKTeaVlzFpcTUdOgD4UomzYf8Uwbyk 9VbaJVP4tSZoN572Lf94LBUVthiV/KAm+57BjGrNFZ9K4tniKvGVceVjuab7yDRE 6160Dxpow7nD4ZWh/wJfxv6/Pr/6qrwjnps75rtfYGDhnp6JF1noRHZq/nxoAjN1 9vP19dZsXla0dXAxFjLz9d4e8Dbcl/53XNUg7wP3JfSinOoc+lzwtHYFwQ+ghXo= =cfE8 -----END PGP SIGNATURE-----
Current thread:
- Re: CVE Request New-djbdns: dnscache: potential cache poisoning, (continued)
- Re: CVE Request New-djbdns: dnscache: potential cache poisoning P J P (Feb 11)
- Re: CVE Request New-djbdns: dnscache: potential cache poisoning P J P (Feb 11)
- Re: CVE Request New-djbdns: dnscache: potential cache poisoning Michael Samuel (Feb 11)
- Re: CVE Request New-djbdns: dnscache: potential cache poisoning P J P (Feb 11)
- Re: CVE Request New-djbdns: dnscache: potential cache poisoning P J P (Feb 17)
- Re: CVE Request New-djbdns: dnscache: potential cache poisoning Michael Samuel (Feb 17)
- Re: CVE Request New-djbdns: dnscache: potential cache poisoning P J P (Feb 18)
- Re: CVE Request New-djbdns: dnscache: potential cache poisoning Michael Samuel (Feb 11)
- Re: CVE Request New-djbdns: dnscache: potential cache poisoning P J P (Feb 11)
- Re: CVE Request New-djbdns: dnscache: potential cache poisoning Florian Weimer (Feb 27)
- Re: Re: CVE Request New-djbdns: dnscache: potential cache poisoning P J P (Feb 19)
- Re: CVE Request New-djbdns: dnscache: potential cache poisoning cve-assign (Feb 20)
- Re: CVE Request New-djbdns: dnscache: potential cache poisoning P J P (Feb 20)
- Re: CVE Request New-djbdns: dnscache: potential cache poisoning cve-assign (Feb 20)
- Re: Re: CVE Request New-djbdns: dnscache: potential cache poisoning Michael Samuel (Feb 20)