Date: Thu, 13 Nov 2014 08:03:36 -1000 From: Daniel Kahn Gillmor <dkg@...thhorseman.net> To: oss-security@...ts.openwall.com, krahmer@...e.de CC: cve-assign@...re.org Subject: Re: Re: CVE-request: systemd-resolved DNS cache poisoning On 11/13/2014 04:56 AM, Florian Weimer wrote: > > I asked Bert to be sure, and he says that it was his intent that the > advice applied to non-recursive resolvers as well. (Note that > systemd-resolved is more than a minimal stub because it has a cache.) I have to agree with Florian here. It's possible that rfc5452 was the wrong citation, since it seems to be devoted mainly to making sure that you don't accept packets from remote DNS servers you didn't request them from. the problem with systemd-resolved as i understand it not that it's accepting packets from DNS servers it didn't request from, but that it's caching unrelated responses in those records. This isn't typically an issue for cache-less stub resolvers, because they're being invoked by things like gethostbyname(), which might receive the extra information but won't actually process it, cache it, or do anything with it. It sounds like a vulnerability to me, and i hope that MITRE will reconsider its decision here. --dkg [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ