Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon,  8 Jun 2015 17:34:55 -0400 (EDT)
Subject: Re: CVE Request: WebKitGTK+ performs DNS prefetch when a proxy is configured

Hash: SHA1


> Complaint: "Apparently it seems that even when configured to use Tor
> as proxy, epiphany is so "smart" to send DNS queries directly to the
> wire, thus making any effort of Tor useless."

> Note: This is not really exploitable per se and it's public in three
> downstream bugtrackers, so no point in trying to hide this -> public
> intentionally.

> All reviewed patches have been landed.

We're not sure that this can be considered a vulnerability fix; it
seems more like a feature addition. The
platformProxyIsEnabledInSystemPreferences "return false" code seems to
mean that the the product's development status was that ascertaining a
proxy setting was an unimplemented capability, and therefore any
proxy-specific DNS behavior was an unimplemented feature.

Admittedly, never making direct DNS queries during proxy use may be
the new preferred behavior in this product. However, sometimes people
want to make direct DNS queries during proxy use. For example,
suppose that a company requires all outbound HTTP requests to go
through a proxy server at the company's headquarters office. However,
branch offices can make outbound DNS queries from their own networks,
possibly in other countries. Some DNS servers respond with different A
records based on an estimate of the geographical location of the DNS
client (or did historically). These different A records may ultimately
be useful in obtaining HTTP responses that are more geographically
appropriate for a branch office.

Some web pages possibly related to how DNS should work with a proxy:

There could be a CVE ID if a product were specifically trying to
detect a proxy setting (in order to avoid direct DNS in that case) but
failing because of a coding error. There typically can't be a CVE ID
for addition of new code to satisfy a requested behavior change.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.