> The exploit _has_ been published and Dan confirmed it. The > current Metasploit implementation is not as fast as Dan's > version, but it works. Several people reported expoits in > the wild that are actively abusing said security hole. Hmm, am obviously not up to date ;-) > > > The question therefore is if you will really gain a lot > > of security with respect to the exploit in question. Hmm.. > > Yes. You increase the entropy from 2^16 to 2^32 - 1025. > This is not great security and DNSSEC is the only viable > long-term solution, but right now, I am concerned to fully > understand the impact of the exploit with regards to my > three questions. But are you really? My point is that the sequence of numbers both of the old bind random number generator and also, probably, the one used in the Linux kernel, can easily be predicted, if you can get hold of a small number of samples. Maybe that's irrelevant to the attack, but why did the bind people include OpenBSD's ARC4 PRNG then, accepting the big performance penalty this apparently causes... but I should really check out the details of the exploit... -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
