uClibc-ng Vulnerability

Vulnerability:

The uClibc and uClibc-ng libraries generate DNS requests with incremental
transaction IDs, while, at the same time, not enforcing any explicit port
randomization techniques during the network connection.
This may result in the possibility for an attacker to perform DNS Cache
Poisoning attacks. More information in the "Exploitability" section here
below.
The vulnerability was confirmed statically and dynamically on version
0.9.33.2. By downloading all releases available on uClibc website, the
vulnerability was confirmed statically in all versions (up to and including
0.9.33.2).
Additionally, by downloading all releases of the uClibc-ng available, the
vulnerability was confirmed statically for this library in all versions (up to
and including 1.0.38, latest available at the time of the research).

https://mailman.openadk.org/mailman3/hyperkitty/list/devel@uclibc-ng.org/thread/6JWRW3P4VN54J5FHUDK7IQOU4V35HHDZ/

Thank's for the link, that topic didn't show up in my searches.

Anyhow would it make sense to mention that vulnerabilty here: https://openwrt.org/docs/guide-developer/security even it does not affect recent versions of openwrt?

Sadly the media coverage even mentions openwrt somewhat as affected.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.