Package: release.debian.org Severity: normal User: [email protected] Usertags: pu
Dear RMs, Please accept this stable upload to fix #665012 (CVE-2012-1570: maradns deleted domain record cache persistance flaw). It is an NMU as part of the PRSC effort. The patch comes from upstream and is a direct copy of the original fix in unstable. maradns-1.4.03/debian/changelog | 8 ++++++++ server/recursive.c | 8 ++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) Thanks. -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (990, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -u maradns-1.4.03/debian/changelog maradns-1.4.03/debian/changelog --- maradns-1.4.03/debian/changelog +++ maradns-1.4.03/debian/changelog @@ -1,3 +1,11 @@ +maradns (1.4.03-1.1+squeeze1) stable; urgency=low + + * Non-maintainer upload. + * Backport fix from upstream for CVE-2012-1570 (deleted domain record + cache persistence flaw). Closes: #665012 + + -- Jonathan Wiltshire <[email protected]> Fri, 01 Feb 2013 16:31:00 +0000 + maradns (1.4.03-1.1) unstable; urgency=high * Non-maintainer upload by the Security Team only in patch2: unchanged: --- maradns-1.4.03.orig/server/recursive.c +++ maradns-1.4.03/server/recursive.c @@ -1370,6 +1370,10 @@ ttl = js_readuint32(server_reply,offset); if(ttl == JS_ERROR) return JS_ERROR; + if(ttl < 20) + ttl = 20; + if(ttl > 86400) /* One day; Ghost domain fix */ + ttl = 86400; offset += 4; /* Get the rdlength of the SOA record */ rdlength = js_readuint16(server_reply,offset); @@ -2019,8 +2023,8 @@ problems that Franky reported */ if(ttl < 20) ttl = 20; - if(ttl > 63072000) /* Two years */ - ttl = 63072000; + if(ttl > 86400) /* One day; Ghost domain fix */ + ttl = 86400; /* If this is a CNAME answer then we don't store it for over * 15 minutes */ if(ttl > 900 && cname_original_record != 0)
