Bug#685550: Please update nsd3 to upstream 3.2.13 - fixes VU#517036 CVE-2012-2979 and segfault
Control: severity -1 wishlist On Tue, Aug 21, 2012 at 22:40:36 +0200, Jeroen Massar wrote: Package: nsd3 Severity: critical Without justification, not quite. Cheers, Julien signature.asc Description: Digital signature
Bug#685550: Please update nsd3 to upstream 3.2.13 - fixes VU#517036 CVE-2012-2979 and segfault
On 2012-08-24 09:38, Julien Cristau wrote: Control: severity -1 wishlist On Tue, Aug 21, 2012 at 22:40:36 +0200, Jeroen Massar wrote: Package: nsd3 Severity: critical Without justification, not quite. From the initial message: Bugfix #461 (VU#517036 CVE-2012-2979): NSD denial of service vulnerability from DNS packet when using --enable-zone-stats. Bugfix #460: man page correction - identity. Fix for nsd-patch segfault if zone has been removed from nsd.conf (thanks Ilya Bakulin) One would think that is critical enough to take the 5 minutes to update the tar.gz from the vendor and roll a new Debian package. Anyway, in the meantime for our deployment we have done just that and put them in our private repo and deployed that on our servers. Thank you for your concern! Greets, Jeroen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685550: Please update nsd3 to upstream 3.2.13 - fixes VU#517036 CVE-2012-2979 and segfault
On Fri, Aug 24, 2012 at 10:55 AM, Jeroen Massar jer...@unfix.org wrote: On 2012-08-24 09:38, Julien Cristau wrote: Control: severity -1 wishlist On Tue, Aug 21, 2012 at 22:40:36 +0200, Jeroen Massar wrote: Package: nsd3 Severity: critical Without justification, not quite. From the initial message: Bugfix #461 (VU#517036 CVE-2012-2979): NSD denial of service vulnerability from DNS packet when using --enable-zone-stats. Not used in Debian. Bugfix #460: man page correction - identity. Documentation bug. Fix for nsd-patch segfault if zone has been removed from nsd.conf (thanks Ilya Bakulin) Not critical (cannot be triggered remotely or locally) and has a workaround. I might consider backporting this issue, but haven't seen the patch yet and don't have time for that now. One would think that is critical enough to take the 5 minutes to update the tar.gz from the vendor and roll a new Debian package. But not when there is a freeze in place, since it wouldn't automatically transfer to testing and would need a manual review by release team. O. -- Ondřej Surý ond...@sury.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685550: Please update nsd3 to upstream 3.2.13 - fixes VU#517036 CVE-2012-2979 and segfault
On 2012-08-24 11:04, Ondřej Surý wrote: [..] One would think that is critical enough to take the 5 minutes to update the tar.gz from the vendor and roll a new Debian package. But not when there is a freeze in place, since it wouldn't automatically transfer to testing and would need a manual review by release team. Aha another freeze. That explains it a bit. Note that I am never aware of these 'freezes' as we simply run unstable everywhere, as the newest tends to be the best and as long as you upgrade one box for testing first and then do the rest there are very few issues that I have had over the last 15+ years of Debian usage... Greets, Jeroen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685550: Please update nsd3 to upstream 3.2.13 - fixes VU#517036 CVE-2012-2979 and segfault
On 2012-08-22 00:50, Ondřej Surý wrote: Debian dind't enable bind9 stats so it's not vulnerable. There are people who build from the source package and who might enable this, from that perspective it would be good to upgrade to it. And there are also other fixes in that version note the segfault fix for when a zone is gone from nsd.conf. As such, it would be really nice to have a new version. Greets, Jeroen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685550: Please update nsd3 to upstream 3.2.13 - fixes VU#517036 CVE-2012-2979 and segfault
Package: nsd3 Severity: critical 3.2.13 is out for a month already, might be nice to get an updated package... Greets, Jeroen -- https://www.nlnetlabs.nl/projects/nsd/ {{{ NSD 3.2.13 Jul 27, 2012 Bugfixes Bugfix #461 (VU#517036 CVE-2012-2979): NSD denial of service vulnerability from DNS packet when using --enable-zone-stats. Bugfix #460: man page correction - identity. Fix for nsd-patch segfault if zone has been removed from nsd.conf (thanks Ilya Bakulin) NSD 3.2.12 Jul 19, 2012 Bugfixes Fix for VU#624931 CVE-2012-2978: NSD denial of service vulnerability from non-standard DNS packet from any host on the internet. NSD 3.2.11 Jul 9, 2012 Features Fallback to AXFR if IXFR is unknown at the primary. NSD considers IXFR unknown at the primary if there is a negative response for the IXFR RRtype. This does not override the value for 'allow-axfr-fallback'. Allow for reading in new DNSKEY algorithm mnemonics (RFC5155, RFC5702, RFC5933, and RFC6605 (ECDSA)). Zone statistics, enable with --enable-zone-stats. This stores the BIND8 stats per zone in a configurable statistics file. This option does not scale and should therefore not be enabled when serving many zones. Support for TLSA RRtype (DANE). Bugfixes Fix for qtype ANY for a wildcard domain in NSEC signed zone: Don't add the wildcard domain NSEC into the answer section. Instead, put the wildcard expanded NSEC into the answer section and keep the wildcard domain NSEC in the authority section. Fix for accept spinning reported by OpenBSD. Fix restart failed due to bad ixfr packet because of zone removed from nsd.conf. Bugfix #453: typo in nsdc man page. }}} -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685550: Please update nsd3 to upstream 3.2.13 - fixes VU#517036 CVE-2012-2979 and segfault
Debian dind't enable bind9 stats so it's not vulnerable. Ondřej Surý On 21. 8. 2012, at 22:40, Jeroen Massar jer...@unfix.org wrote: Package: nsd3 Severity: critical 3.2.13 is out for a month already, might be nice to get an updated package... Greets, Jeroen -- https://www.nlnetlabs.nl/projects/nsd/ {{{ NSD 3.2.13 Jul 27, 2012 Bugfixes Bugfix #461 (VU#517036 CVE-2012-2979): NSD denial of service vulnerability from DNS packet when using --enable-zone-stats. Bugfix #460: man page correction - identity. Fix for nsd-patch segfault if zone has been removed from nsd.conf (thanks Ilya Bakulin) NSD 3.2.12 Jul 19, 2012 Bugfixes Fix for VU#624931 CVE-2012-2978: NSD denial of service vulnerability from non-standard DNS packet from any host on the internet. NSD 3.2.11 Jul 9, 2012 Features Fallback to AXFR if IXFR is unknown at the primary. NSD considers IXFR unknown at the primary if there is a negative response for the IXFR RRtype. This does not override the value for 'allow-axfr-fallback'. Allow for reading in new DNSKEY algorithm mnemonics (RFC5155, RFC5702, RFC5933, and RFC6605 (ECDSA)). Zone statistics, enable with --enable-zone-stats. This stores the BIND8 stats per zone in a configurable statistics file. This option does not scale and should therefore not be enabled when serving many zones. Support for TLSA RRtype (DANE). Bugfixes Fix for qtype ANY for a wildcard domain in NSEC signed zone: Don't add the wildcard domain NSEC into the answer section. Instead, put the wildcard expanded NSEC into the answer section and keep the wildcard domain NSEC in the authority section. Fix for accept spinning reported by OpenBSD. Fix restart failed due to bad ixfr packet because of zone removed from nsd.conf. Bugfix #453: typo in nsdc man page. }}} -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org