CVE-2008-1447

NameCVE-2008-1447
DescriptionThe DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, ...
SourceCVE (at NVD; oss-sec, OSVDB, EDB, Red Hat, Ubuntu, Gentoo, SuSE, more)
ReferencesDSA-1603-1, DSA-1604-1, DSA-1605-1, DSA-1617-1, DSA-1619-1, DSA-1623-1, DTSA-147-1
Debian Bugs490123, 490217, 492465, 492698, 492700, 493599, 502275
Debian/oldstablepackage dnspython is vulnerable; however, the security impact is unimportant.
Debian/stablepackage dnspython is vulnerable; however, the security impact is unimportant.
Debian/testingpackage udns is vulnerable.
Debian/unstablepackage udns is vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
adns (PTS)jessie, squeeze, wheezy, sid1.4-2fixed
bind9 (PTS)squeeze, squeeze (security)1:9.7.3.dfsg-1~squeeze11fixed
wheezy, wheezy (security)1:9.8.4.dfsg.P1-6+nmu2+deb7u1fixed
jessie1:9.8.4.dfsg.P1-6+nmu3fixed
sid1:9.9.5.dfsg-3fixed
dnsmasq (PTS)squeeze2.55-2fixed
wheezy2.62-3+deb7u1fixed
jessie2.68-1fixed
sid2.69-1fixed
dnspython (PTS)squeeze1.8.0-1vulnerable
wheezy1.10.0-1vulnerable
jessie, sid1.11.1-1vulnerable
libnet-dns-perl (PTS)squeeze, wheezy0.66-2fixed
jessie, sid0.68-1.2fixed
pdnsd (PTS)squeeze1.2.7-par-1.2fixed
wheezy1.2.8-par-3fixed
jessie, sid1.2.9a-par-2fixed
python-dns (PTS)squeeze2.3.4-4fixed
wheezy2.3.6-1+deb7u1fixed
jessie, sid2.3.6-3fixed
refpolicy (PTS)squeeze2:0.2.20100524-7+squeeze1fixed
wheezy2:2.20110726-12fixed
jessie, sid2:2.20140311-1fixed
udns (PTS)jessie, sid0.4-1vulnerable

The information above is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
adnssource(unstable)1.4-2unimportant492698
bind9source(unstable)1:9.5.0.dfsg-5high
bind9sourceetch1:9.3.4-2etch3DSA-1603-1
bind9sourcelenny1:9.4.2-10+lenny1DTSA-147-1
dnsmasqsource(unstable)2.43-1medium490123
dnsmasqsourceetch2.35-1+etch4DSA-1623-1
dnspythonsource(unstable)(unfixed)unimportant492465
libnet-dns-perlsource(unstable)0.63-2low492700
pdnsdsource(unstable)1.2.6-par-11502275
python-dnssource(unstable)2.3.1-5low490217
python-dnssourceetch2.3.0-5.2+etch1DSA-1619-1
refpolicysource(unstable)2:0.0.20080702-1
refpolicysourceetch0.0.20061018-5.1+etch1DSA-1617-1
ruby1.9source(unstable)1.9.0.2-6low
udnssource(unstable)(unfixed)493599

Notes

glibc stub resolver relies on source port randomisation in kernel
Just a stub resolver Linux kernel provides source port randomisation
adns is not suitable to use with untrusted responses, documented in README.Debian
Source port randomization from Lenny kernel should provide sufficient protection
since this is just a Perl nodule for DNS queries and not a high-profile server app like
Bind, it's unlikely that a home-grown fix will provide an implementation of higher
cryptographical quality. Marking the version from Lenny as fixed, since Lenny includes
a kernel which provides source port randomization
Unbound, djbdns, pdnsd and PowerDNS are affected by the underlying protocol issue, but
already use source port randomization.
Marking non-caching stub resolvers as low since these really should be fixed,
but are much less vulnerable than a caching server.

Search for package or bug name: Reporting problems

Home - Testing Security Team - Debian Security - Source (SVN)