On Fri, Aug 24, 2012 at 10:55 AM, Jeroen Massar <[email protected]> wrote:
> On 2012-08-24 09:38, Julien Cristau wrote:
>> Control: severity -1 wishlist
>>
>> On Tue, Aug 21, 2012 at 22:40:36 +0200, Jeroen Massar wrote:
>>
>>> Package: nsd3
>>> Severity: critical
>>>
>> Without justification, not quite.
>
> From the initial message:
>
> Bugfix #461 (VU#517036 CVE-2012-2979): NSD denial of service
> vulnerability from DNS packet when using --enable-zone-stats.

Not used in Debian.

> Bugfix #460: man page correction - identity.

Documentation bug.

> Fix for nsd-patch segfault if zone has been removed from nsd.conf
> (thanks Ilya Bakulin)

Not critical (cannot be triggered remotely or locally) and has a
workaround.  I might consider backporting this issue, but haven't seen
the patch yet and don't have time for that now.

> One would think that is critical enough to take the 5 minutes to update
> the tar.gz from the vendor and roll a new Debian package.

But not when there is a freeze in place, since it wouldn't automatically
transfer to testing and would need a manual review by release team.

O.
-- 
Ondřej Surý <[email protected]>


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to