[PLUG] IT: Dan Bernstein Confirms Security Flaw In Djbdns

JP Vossen on 5 Mar 2009 13:07:29 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] IT: Dan Bernstein Confirms Security Flaw In Djbdns

From: JP Vossen <jp@jpsdomain.org>

To: plug@lists.phillylinux.org

Subject: [PLUG] IT: Dan Bernstein Confirms Security Flaw In Djbdns

Date: Thu, 05 Mar 2009 16:07:23 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: Thunderbird 2.0.0.19 (Windows/20081209)

http://it.slashdot.org/article.pl?sid=09/03/05/2014249 IT: Dan Bernstein Confirms Security Flaw In Djbdns Posted by timothy on Thursday March 05, @03:52PM from the gets-yer-money-and-takes-yer-chances dept. secmartin writes: "Dan Bernstein has just admitted that a security issue has been found in the djbdns software [1], one of most popular alternatives for the BIND nameserver. As part of the djbdns security guarantee, $1000 will be paid to Matthew Dempsky, the researcher that found the bug. The bug allows a nameserver running djbdns to be poisoned [2] using just a single packet. Other researchers have found a separate issue [3] that allows dnscache, the DNS cache that is also part of the djbdns package, to be poisoned within just 18 minutes when using the default configuration. Anyone using djbdns is strongly encouraged to patch their servers immediately." Reader emad contributes a link to the djbdns mailing list post containing both a patch and a sample exploit [4], and adds: "In the words of Dan Kaminsky (of recent DNS security fame) [5]: 'However, Dempsky's bug in djb's tinydns is way more surprising, if only because ... holy crap, he pulled an exploitable scenario out of THAT?!'" [1] http://securityandthe.net/2009/03/05/security-issue-in-djbdns-confirmed/ [2] http://en.wikipedia.org/wiki/DNS_cache_poisoning [3] http://www.your.org/dnscache/djbdns.pdf [4] http://marc.info/?l=djbdns&m=123554945710038 [5] http://twitter.com/dakami/status/1260880457 -- Later, JP ----------------------------|:::======|------------------------------- JP Vossen, CISSP |:::======| http://bashcookbook.com/ My Account, My Opinions |=========| http://www.jpsdomain.org/ ----------------------------|=========|------------------------------- "Microsoft Tax" = the additional hardware & yearly fees for the add-on software required to protect Windows from its own poorly designed and implemented self, while the overhead incidentally flattens Moore's Law. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] IT: Dan Bernstein Confirms Security Flaw In Djbdns
From: Michael Bevilacqua <michael@bevilacqua.us>

Prev by Date: Re: [PLUG] Trouble with updates

Next by Date: Re: [PLUG] word docs with open office and web sites (slightly OT)

Previous by thread: Re: [PLUG] Trouble with updates

Next by thread: Re: [PLUG] IT: Dan Bernstein Confirms Security Flaw In Djbdns

Index(es):

Date

Thread