On Fri, Aug 24, 2012 at 10:55 AM, Jeroen Massar <[email protected]> wrote: > On 2012-08-24 09:38, Julien Cristau wrote: >> Control: severity -1 wishlist >> >> On Tue, Aug 21, 2012 at 22:40:36 +0200, Jeroen Massar wrote: >> >>> Package: nsd3 >>> Severity: critical >>> >> Without justification, not quite. > > From the initial message: > > Bugfix #461 (VU#517036 CVE-2012-2979): NSD denial of service > vulnerability from DNS packet when using --enable-zone-stats.
Not used in Debian. > Bugfix #460: man page correction - identity. Documentation bug. > Fix for nsd-patch segfault if zone has been removed from nsd.conf > (thanks Ilya Bakulin) Not critical (cannot be triggered remotely or locally) and has a workaround. I might consider backporting this issue, but haven't seen the patch yet and don't have time for that now. > One would think that is critical enough to take the 5 minutes to update > the tar.gz from the vendor and roll a new Debian package. But not when there is a freeze in place, since it wouldn't automatically transfer to testing and would need a manual review by release team. O. -- Ondřej Surý <[email protected]> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

