First Last Prev Next    This bug is not in your last search results.
Bug 1159274 - (CVE-2019-19794) VUL-0: CVE-2019-19794: coredns: The miekg Go DNS package improperly generates random numbers because math/rand is used
(CVE-2019-19794)
VUL-0: CVE-2019-19794: coredns: The miekg Go DNS package improperly generates...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Containers Team
Security Team bot
https://smash.suse.de/issue/249055/
CVSSv3.1:SUSE:CVE-2019-19794:5.9:(AV...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-12-16 10:36 UTC by Robert Frohl
Modified: 2022-02-13 11:45 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2019-12-16 10:36:24 UTC 
CVE-2019-19794

The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and
other products, improperly generates random numbers because math/rand is used.
The TXID becomes predictable, leading to response forgeries.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19794
https://github.com/miekg/dns/issues/1043
https://github.com/miekg/dns/pull/1044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19794
https://github.com/coredns/coredns/issues/3519
https://github.com/miekg/dns/compare/v1.1.24...v1.1.25
Comment 1 Alexandros Toptsoglou 2020-11-02 16:17:52 UTC 
CAASP 4.0 and 4.5 is tracked affected. Factory is already fixed.
Comment 2 Klaus Kämpf 2020-11-03 08:43:10 UTC 
CaaSP 4.5 is already at 1.6.7, only CaaSP 4.2 is affected.
First Last Prev Next    This bug is not in your last search results.