Date: Thu, 4 Sep 2008 12:01:04 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com, oss-security@...ts.openwall.com cc: coley@...re.org Subject: Re: CVE Request (ruby -- DNS spoofing vulnerability in resolv.rb) On Wed, 3 Sep 2008, Jan Lieskovsky wrote: > could you please allocate an another CVE id > for the DNS spoofing vulnerability in Ruby resolv.rb code. > > http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/ > (part DNS spoofing vulnerability in resolv.rb) > >... > > The transaction IDs are assigned in sequential (n+1 order) and the > source ports are always the same. Use CVE-2008-3905, to be filled in soon. We're treating this as a distinct issue because this is *REALLY* bad randomness within a particular implementation, besides the inherent limitation of DNS when source ports are fixed. - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ