blob: 5b5d6a0152838716998cdda71afb33e5e8762cc8 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200708-06">
<title>Net::DNS: Multiple vulnerabilities</title>
Multiple vulnerabilities have been discovered in the Net::DNS Perl module,
allowing for a Denial of Service and a cache poisoning attack.
<product type="ebuild">net-dns</product>
<announced>August 11, 2007</announced>
<revised>August 11, 2007: 01</revised>
<package name="dev-perl/Net-DNS" auto="yes" arch="*">
<unaffected range="ge">0.60</unaffected>
<vulnerable range="lt">0.60</vulnerable>
Net::DNS is a Perl implementation of a DNS resolver.
hjp discovered an error when handling DNS query IDs which make them
partially predictable. Steffen Ullrich discovered an error in the
dn_expand() function which could lead to an endless loop.
<impact type="normal">
A remote attacker could send a specially crafted DNS request to the
server which could result in a Denial of Service with an infinite
recursion, or perform a cache poisoning attack.
There is no known workaround at this time.
All Net::DNS users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=dev-perl/Net-DNS-0.60&quot;</code>
<uri link="">CVE-2007-3377</uri>
<uri link="">CVE-2007-3409</uri>
<metadata tag="requester" timestamp="Mon, 16 Jul 2007 13:12:37 +0000">
<metadata tag="bugReady" timestamp="Wed, 25 Jul 2007 05:32:52 +0000">
<metadata tag="submitter" timestamp="Mon, 30 Jul 2007 09:51:53 +0000">