miekg/dns insecurely generates random numbers
Moderate severity
GitHub Reviewed
Published
May 18, 2021
to the GitHub Advisory Database
•
Updated Aug 29, 2023
Package
Affected versions
< 1.1.25
Patched versions
1.1.25
Description
Reviewed
May 18, 2021
Published to the GitHub Advisory Database
May 18, 2021
Last updated
Aug 29, 2023
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
References