Your message dated Thu, 23 Aug 2007 22:45:07 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Fwd: Bug#438913: maradns: Remote DoS attack possible
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: maradns
Version: 1.2.12.04-1etch1
Severity: normal
>From MaraDNS website:
MaraDNS would leak about 300 bytes whenever a specially crafted DNS packet
(either one with a non-0 Opcode, or a non-1 Class) was sent to the server.
This leak would have allowed an attacker to cause MaraDNS to allocate an
arbitrary large amount of memory by sending a very large number of invalid DNS
packers (sic)
to the server running MaraDNS.
This affected the 1.2 and 1.3 branches of MaraDNS, and was fixed in MaraDNS
1.2.12.06 and the 1.3.05 releases of MaraDNS.
Impact: Remote denial of service.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (600, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-k7
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Versions of packages maradns depends on:
ii adduser 3.102 Add and remove users and groups
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
maradns recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Upstream just confirmed this bug is already fixed in the backported
1.2.12.04-1etch1.
Thanks for your concern!
---------- Forwarded message ----------
From: Sam Trenholme <[EMAIL PROTECTED]>
Date: Aug 23, 2007 10:00 PM
Subject: Re: Bug#438913: maradns: Remote DoS attack possible
To: [EMAIL PROTECTED]
This issue was already dealt with and closed in Debian bug 425753.
Take care,
- Sam
On 8/20/07, Kai Hendry <[EMAIL PROTECTED]> wrote:
> Ola Sam,
>
> I am thinking of how best to solve this security issue in stable. As
> you may know Debian's stable security update policy is really
> conservative. So I was hoping you could help me isolate the patch
> required for the existing 1.2.12.04-1 in stable, to become secure.
>
>
> Night,
>
> ---------- Forwarded message ----------
> From: Martin Nicholas <[EMAIL PROTECTED]>
> Date: Aug 20, 2007 6:51 PM
> Subject: Bug#438913: maradns: Remote DoS attack possible
> To: Debian Bug Tracking System <[EMAIL PROTECTED]>
>
>
> Package: maradns
> Version: 1.2.12.04-1etch1
> Severity: normal
>
> >From MaraDNS website:
> MaraDNS would leak about 300 bytes whenever a specially crafted DNS
> packet (either one with a non-0 Opcode, or a non-1 Class) was sent to
> the server.
> This leak would have allowed an attacker to cause MaraDNS to allocate
> an arbitrary large amount of memory by sending a very large number of
> invalid DNS packers (sic)
> to the server running MaraDNS.
> This affected the 1.2 and 1.3 branches of MaraDNS, and was fixed in
> MaraDNS 1.2.12.06 and the 1.3.05 releases of MaraDNS.
>
> Impact: Remote denial of service.
>
> -- System Information:
> Debian Release: 4.0
> APT prefers stable
> APT policy: (600, 'stable')
> Architecture: i386 (i686)
> Shell: /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.16-2-k7
> Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
>
> Versions of packages maradns depends on:
> ii adduser 3.102 Add and remove users and groups
> ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
>
> maradns recommends no packages.
>
> -- no debconf information
>
--- End Message ---
