Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 Feb 2014 12:24:21 +0530 (IST)
From: P J P <ppandit@...hat.com>
To: oss security list <oss-security@...ts.openwall.com>
Subject: Re: CVE Request New-djbdns: dnscache: potential cache
 poisoning

   Hi,

+-- On Mon, 10 Feb 2014, P J P wrote --+
| I'll check with the upstream author for more clarification.

Upstream author's reply:

 > On Tuesday, 11 February 2014 4:28 AM, Frank Denis wrote:
 >
 > The shorter the TTL of a record is, the easier a cache can be poisoned.
 > It is when a record is NOT cached that spoofed authoritative replies
 > can be sent and get a chance to reach the resolver before the
 > legitimate one.
 > 
 > As soon as a valid response is received, dnscache invalidates the state, 
 > discarding further responses, even if these are valid.


Hope it helps. Thank you.
--
Prasad J Pandit / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ