461495 – (CVE-2008-3905) CVE-2008-3905 ruby: use of predictable source port and transaction id in DNS requests done by resolv.rb module

Bug 461495 (CVE-2008-3905) - CVE-2008-3905 ruby: use of predictable source port and transaction id in DNS requests done by resolv.rb module

Summary: CVE-2008-3905 ruby: use of predictable source port and transaction id in DNS ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-3905
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	461578 461579 461580 461590 461591
Blocks:
TreeView+	depends on / blocked

Reported:	2008-09-08 15:31 UTC by Tomas Hoger
Modified:	2019-09-29 12:26 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-11-13 15:23:44 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:0896	0	normal	SHIPPED_LIVE	Moderate: ruby security update	2008-10-21 14:52:39 UTC
Red Hat Product Errata	RHSA-2008:0897	0	normal	SHIPPED_LIVE	Moderate: ruby security update	2008-10-21 14:43:41 UTC

Description Tomas Hoger 2008-09-08 15:31:16 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3905 to the following vulnerability:

resolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7
before 1.8.7-p72, and 1.9 r18423 and earlier uses sequential
transaction IDs and constant source ports for DNS requests, which
makes it easier for remote attackers to spoof DNS responses, a
different vulnerability than CVE-2008-1447.

References:
http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
http://www.openwall.com/lists/oss-security/2008/09/04/9

Upstream patch:
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=18424

Comment 8 Fedora Update System 2008-10-09 21:35:07 UTC

ruby-1.8.6.287-2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Red Hat Product Security 2008-11-13 15:23:44 UTC

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0897.html
  http://rhn.redhat.com/errata/RHSA-2008-0896.html

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-8736
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-8738

Note You need to log in before you can comment on or make changes to this bug.