CVE-2022-30295
Published: 6 May 2022
uClibc-ng through 1.0.40 and uClibc through 0.9.33.2 use predictable DNS transaction IDs that may lead to DNS cache poisoning. This is related to a reset of a value to 0x2.
Notes
Author | Note |
---|---|
sbeattie | ubuntu removed uClibc from the Ubuntu archive in 2011 and did not bring it back even when debian converted to using uClibc-ng in the src:uclibc pacakge. |
Priority
CVSS 3 base score: 6.5
Status
Package | Release | Status |
---|---|---|
uclibc Launchpad, Ubuntu, Debian |
trusty |
Does not exist
|
xenial |
Does not exist
|
|
bionic |
Does not exist
|
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
upstream |
Released
(1.0.41-1)
|
|
Patches: upstream: https://cgit.uclibc-ng.org/cgi/cgit/uclibc-ng.git/commit/?id=f73fcb3d067e22817189077c9b7bd2417c930d34 |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30295
- https://kb.cert.org/vuls/id/473698
- https://launchpad.net/ubuntu/+source/uclibc/+publishinghistory
- https://www.nozominetworks.com/blog/nozomi-networks-discovers-unpatched-dns-bug-in-popular-c-standard-library-putting-iot-at-risk/
- NVD
- Launchpad
- Debian