Hello folks, If we look here:
http://security-tracker.debian.org/tracker/CVE-2012-1033 it appears as though this CVE has been written off as a DNS protocol flaw, I believe based on the original ISC announcement here: https://www.isc.org/software/bind/advisories/cve-2012-1033 (first sentence under Solution: ) Now, I don't disagree with you, however, ISC have subsequently issued a patch which mitigates (a bit lamely, IMHO) the problem (second paragraph of Solution: **Delayed Update of 29 May --) and this upstream patch hasn't found it's way into debian, I suspect because of this delay. Whether this is a real security issue or not (bun fight!), it causes a problem with verifying debian systems as PCI DSS complaint because there _is_ an upstream patch to mitigate the problem which isn't applied to debian packages. "Not known to be vulnerable" is not quite the same strength of statement as "fixed", and then we're into "you must upgrade to the latest version" hell. Is there any chance you could see your way to patch in "3282. [bug] Restrict the TTL of NS RRset to no more than that of the old NS RRset when replacing it. [RT #27792] [RT #27884]" from upstream so that we can have a "fixed" status? It might even improve security, you never know. Finally, I'd like to take this opportunity to offer my thanks for your truly outstanding work. I've been a debian advocate for a long time now, I couldn't do that, or my job as it stands, without the security team making debian stable a viable (awesome) platform. -- -------------------------------------------- Mike Ashton Head of Technical Operations пиво царь moo.com :: email | [email protected] -------------------------------------------- MOO Print Ltd 32 Scrutton Street (Rear) London EC2A 4RQ +44(0) 207 392 2781 (x1022) -------------------------------------------- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
