| Name | CVE-2008-1447 |
| Description | The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, ... |
| Source | CVE (at NVD; oss-sec, OSVDB, EDB, Red Hat, Ubuntu, Gentoo, more) |
| References | DSA-1603-1, DSA-1604-1, DSA-1605-1, DSA-1617-1, DSA-1619-1, DSA-1623-1, DTSA-147-1 |
| Debian Bugs | 490123, 490217, 492465, 492698, 492700, 493599, 502275 |
| Debian/oldstable | package dnspython is vulnerable; however, the security impact is unimportant. |
| Debian/stable | package dnspython is vulnerable; however, the security impact is unimportant. |
| Debian/testing | package udns is vulnerable. |
| Debian/unstable | package udns is vulnerable. |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| adns (PTS) | jessie, squeeze, wheezy, sid | 1.4-2 | fixed |
| bind9 (PTS) | squeeze, squeeze (security) | 1:9.7.3.dfsg-1~squeeze11 | fixed |
| wheezy, wheezy (security) | 1:9.8.4.dfsg.P1-6+nmu2+deb7u1 | fixed | |
| jessie | 1:9.8.4.dfsg.P1-6+nmu3 | fixed | |
| sid | 1:9.9.5.dfsg-2 | fixed | |
| dnsmasq (PTS) | squeeze | 2.55-2 | fixed |
| wheezy | 2.62-3+deb7u1 | fixed | |
| jessie, sid | 2.68-1 | fixed | |
| dnspython (PTS) | squeeze | 1.8.0-1 | vulnerable |
| wheezy | 1.10.0-1 | vulnerable | |
| jessie, sid | 1.11.1-1 | vulnerable | |
| libnet-dns-perl (PTS) | squeeze, wheezy | 0.66-2 | fixed |
| jessie, sid | 0.68-1.2 | fixed | |
| pdnsd (PTS) | squeeze | 1.2.7-par-1.2 | fixed |
| wheezy | 1.2.8-par-3 | fixed | |
| jessie, sid | 1.2.9a-par-2 | fixed | |
| python-dns (PTS) | squeeze | 2.3.4-4 | fixed |
| wheezy | 2.3.6-1+deb7u1 | fixed | |
| jessie, sid | 2.3.6-3 | fixed | |
| refpolicy (PTS) | squeeze | 2:0.2.20100524-7+squeeze1 | fixed |
| wheezy | 2:2.20110726-12 | fixed | |
| jessie, sid | 2:2.20140206-1 | fixed | |
| udns (PTS) | jessie, sid | 0.4-1 | vulnerable |
The information above is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| adns | source | (unstable) | 1.4-2 | unimportant | 492698 | |
| bind9 | source | (unstable) | 1:9.5.0.dfsg-5 | high | ||
| bind9 | source | etch | 1:9.3.4-2etch3 | DSA-1603-1 | ||
| bind9 | source | lenny | 1:9.4.2-10+lenny1 | DTSA-147-1 | ||
| dnsmasq | source | (unstable) | 2.43-1 | medium | 490123 | |
| dnsmasq | source | etch | 2.35-1+etch4 | DSA-1623-1 | ||
| dnspython | source | (unstable) | (unfixed) | unimportant | 492465 | |
| libnet-dns-perl | source | (unstable) | 0.63-2 | low | 492700 | |
| pdnsd | source | (unstable) | 1.2.6-par-11 | 502275 | ||
| python-dns | source | (unstable) | 2.3.1-5 | low | 490217 | |
| python-dns | source | etch | 2.3.0-5.2+etch1 | DSA-1619-1 | ||
| refpolicy | source | (unstable) | 2:0.0.20080702-1 | |||
| refpolicy | source | etch | 0.0.20061018-5.1+etch1 | DSA-1617-1 | ||
| ruby1.9 | source | (unstable) | 1.9.0.2-6 | low | ||
| udns | source | (unstable) | (unfixed) | 493599 |
glibc stub resolver relies on source port randomisation in kernel Just a stub resolver Linux kernel provides source port randomisation adns is not suitable to use with untrusted responses, documented in README.Debian Source port randomization from Lenny kernel should provide sufficient protection since this is just a Perl nodule for DNS queries and not a high-profile server app like Bind, it's unlikely that a home-grown fix will provide an implementation of higher cryptographical quality. Marking the version from Lenny as fixed, since Lenny includes a kernel which provides source port randomization Unbound, djbdns, pdnsd and PowerDNS are affected by the underlying protocol issue, but already use source port randomization. Marking non-caching stub resolvers as low since these really should be fixed, but are much less vulnerable than a caching server.
Home - Testing Security Team - Debian Security - Source (SVN)