Your message dated Sun, 22 Oct 2017 13:19:11 +0200
with message-id
<1508671151.815349.1146906880.773a8...@webmail.messagingengine.com>
and subject line Closing bugs in old-old-stable bind9 versions
has caused the Debian Bug report #192047,
regarding lwresd binds to 0.0.0.0 in spite of man page
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
192047: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=192047
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: lwresd
Version: 1:9.2.1-2.woody.1
Severity: grave
Tags: security
Justification: user security hole
The manpage claims that
lwresd listens for resolver queries on a UDP port on the IPv4
loopback interface, 127.0.0.1. This means that lwresd can only
be used by processes running on the local machine. By default UDP
port number 921 is used for lightweight resolver requests and
responses.
but netstat -a -n -p shows that
udp 0 0 0.0.0.0:32768 0.0.0.0:*
211/lwresd
udp 0 0 127.0.0.1:921 0.0.0.0:*
211/lwresd
unix 2 [ ] DGRAM 304 211/lwresd
- lwresd listens to non-local requests.
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux colo.khms.westfalen.de 2.4.20+colo.1 #1 Mon May 5 11:00:33 CEST
2003 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages lwresd depends on:
ii libc6 2.3.1-17 GNU C Library: Shared libraries an
ii libdns5 1:9.2.1-2.woody.1 DNS Shared Library used by BIND
ii libisc4 1:9.2.1-2.woody.1 ISC Shared Library used by BIND
ii libisccc0 1:9.2.1-2.woody.1 Command Channel Library used by BI
ii libisccfg0 1:9.2.1-2.woody.1 Config File Handling Library used
ii liblwres1 1:9.2.1-2.woody.1 Lightweight Resolver Library used
ii libssl0.9.6 0.9.6c-2.woody.3 SSL shared libraries
--- End Message ---
--- Begin Message ---
Version: 1:9.10.3.dfsg.P4-12.3
Hi,
the bind9 bug list grew too much and the Debian BIND team cannot
simply test all the reported bugs against versions not in stable, so
this is mass bug close, as either the version is no longer relevant
(because of old-old-stable 9.8.x or old-stable 9.9.5 or even older
version of bind9) or the bug was already fixed.
However, if you can reproduce the bug with a current version in stable,
please use Debian BTS 'found <bug> <version_you_reproduced_the_issue>'
command to retag the bug and reopen it.
Cheers,
Ondrej
signature.asc
Description: PGP signature
--- End Message ---
