Debian Security Advisory DSA 1544-2 (pdns-recursor)

The remote host is missing an update to pdns-recursor announced via advisory DSA 1544-2.

Thomas Biege discovered that the upstream fix for the weak random number generator released in DSA-1544-1 was incomplete: Source port randomization did still not use difficult-to-predict random numbers. This is corrected in this security update. Here is the text of the original advisory: Amit Klein discovered that pdns-recursor, a caching DNS resolver, uses a weak random number generator to create DNS transaction IDs and UDP source port numbers. As a result, cache poisoning attacks were simplified. (CVE-2008-1637) In the light of recent DNS-related developments (documented in DSAs 1603, 1604, 1605), we recommend that this update is installed as an additional safety measure. (The lack of source port randomization was addressed in the 3.1.6 upstream version.) In addition, this update incorporates the changed IP address of L.ROOT-SERVERS.NET. For the stable distribution (etch), this problem has been fixed in version 3.1.4-1+etch2. For the unstable distribution (sid), this problem has been fixed in version 3.1.7-1. We recommend that you upgrade your pdns-recursor package.

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201544-2