As per the attached email, I wonder if you would be interested in point
releases for the old versions of maradns to fix #653838 and what the
relevant timescales would be.
There is also the question of unarchiving and fixing #584587 in the
lenny version whilst we still have the chance.
--- Begin Message ---
Hi Nicholas,
Op vrijdag 30 december 2011 20:18:16 schreef Nicholas Bamber:
> As per this email I am preparing 1.4.08-1 of the maradns package. I am
> wondering what your view would be about the old versions of maradns. It
> dies not look like a very large patch.
Thanks. You should indeed upload 1.4.09 to unstable and set urgency=medium.
Talking about updating (old)stable. I've been pondering the issue a while. My
preliminary conclusion is that this is an issue worth fixing, because breaking
DNS of course breaks an entire network, but especially because MaraDNS
advertises itself as a 'security-focused' product specifically.
However, in order to exploit it, one needs to allow untrusted users to perform
recursive queries. As we all know, allowing the general public to perform
recursive queries on your server is considered a security problem to begin
with, so we can expect this not to be a very common case. Of course there will
be an installation here or there that caters to some internal network on which
not everyone is fully trusted, but that seems like a border case to me.
So concluding, I would say that this issue is very fit for a stable point
update, not a DSA. You should get in contact with the SRM's about this
straight away, since a point release for squeeze is around the corner.
I would definitely also update Lenny, because (a) upstream has actually
released a patch for the version in lenny, and (b) this month is the last
chance to do so.
Are you available to take care of this?
Cheers,
Thijs
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
