Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Jul 2015 20:13:13 +0100
From: Kiall Mac Innes <kiall@...innes.ie>
To: cve-assign@...re.org
CC: oss-security@...ts.openwall.com
Subject: Re: CVE Request - OpenStack Designate mDNS DoS through incorrect
 handling of large RecordSets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 28/07/15 19:57, cve-assign@...re.org wrote:
>> https://launchpad.net/bugs/1471161
> 
>> Designate does not enforce the DNS protocol limit concerning
>> record set sizes
> 
>> As a result, the rendering loop in desginate-mdns can does not
>> make progress
> 
>> Because it keeps receiving data, it does not seem it will ever
>> run into a timeout (and if it does, it will try again).
> 
>> https://bugs.launchpad.net/designate/+bug/1471161/comments/5
> 
>> I think there is 2 parts to this bug:
> 
>> 1: Quotas were being bypassed as part of the v1 API. 2. If there
>> was enough RRs in a RRSet MiniDNS went into a loop. 3. MiniDNS
>> does not have a timeout.
> 
> Our current feeling is that it is best to have two CVE IDs: one
> for the original "does not enforce the DNS protocol limit
> concerning record set sizes" issue and one for the "Quotas were
> being bypassed" issue. Is that OK?

Yes, this is OK.

> [SNIP]
> 
> We feel that item 3, adding a timeout, can be considered a
> security enhancement opportunity that should not have its own CVE
> ID, i.e., there is no report of a vulnerability that can be fixed
> only with a timeout.

Agreed.

> Finally, our understanding is that multiple names are being used to
> refer to the general 
> https://wiki.openstack.org/wiki/Designate/Blueprints/MiniDNS
> concept, i.e., we think "MiniDNS does not have a timeout" is an
> observation about the Designate codebase, not a third-party DNS
> server such as from the https://code.google.com/p/minidns/ site.
> Also, we think this part of the Designate codebase is also called
> designate-mdns (misspelled as desginate-mdns) and mDNS -- these are
> essentially alternative names for Designate MiniDNS.
> 

Interesting, https://code.google.com/p/minidns/ is project I've not
seen before. Within OpenStack Designate, we typically refer to the
`designate-mdns` service as either MiniDNS or mDNS, we will need to
ensure we're clearer in our wording in future to avoid any possible
confusion.

Thanks,
Kiall
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVt9RIAAoJEHuWgzsGpgIa4igIAL4eiWoGF9ca5Cw4nlmQqZoe
ZNnDJCI9JnAj87FOj7wVep8mM1RvD6dSmyfKeixp6ounAMCtaVoOtQa2oF+Gxqk0
A3nAgRCKWMKr6awmlN5FClLoX8oHg88iIOv8hE45RqjUaXat1dHvPog1YBxN6Ud0
Sx/IOaCWKHJIi/wJdwmNLbIP573tFhL0Hfw+m6AIiuRL495F7Umvqdb1nMHR/wfl
/bwiTwfX3yD0q/kZAEZux23zBCOZEv24C9ups6LEP5un2G0w8P97VQdGDRhzddls
EQstl/2gxR6yOPWV9f4MFxeVlEohHT5MZ5gvNio+7zzCJC5T9kSHGHDoe00LV5c=
=BHnN
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.