Debian Bug report logs -
#872854
dnsdist: CVE-2016-7069 CVE-2017-7557
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 21 Aug 2017 20:18:04 UTC
Severity: important
Tags: patch, security, upstream
Found in version dnsdist/1.1.0-2
Fixed in versions dnsdist/1.2.0-1, dnsdist/1.1.0-2+deb9u1
Done: Christian Hofstaedtler <zeha@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>:
Bug#872854; Package src:dnsdist.
(Mon, 21 Aug 2017 20:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>.
(Mon, 21 Aug 2017 20:18:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: dnsdist
Version: 1.1.0-2
Severity: important
Tags: security patch upstream
Hi,
the following vulnerabilities were published for dnsdist, not filling
two bugs individually since 1.1.0 is commont for all affected suites.
CVE-2016-7069[0]:
Crafted backend responses can cause a denial of service
CVE-2017-7557[1]:
Alteration of ACLs via API authentication bypass
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-7069
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7069
[1] https://security-tracker.debian.org/tracker/CVE-2017-7557
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7557
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>:
Bug#872854; Package src:dnsdist.
(Tue, 22 Aug 2017 09:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian Hofstaedtler <zeha@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>.
(Tue, 22 Aug 2017 09:48:02 GMT) (full text, mbox, link).
Message #10 received at 872854@bugs.debian.org (full text, mbox, reply):
> CVE-2016-7069[0]:
> Crafted backend responses can cause a denial of service
>
> CVE-2017-7557[1]:
> Alteration of ACLs via API authentication bypass
Source patches for 1.1.0 are available here:
https://downloads.powerdns.com/patches/2017-01/
https://downloads.powerdns.com/patches/2017-02/
Reply sent
to Christian Hofstaedtler <zeha@debian.org>:
You have taken responsibility.
(Tue, 22 Aug 2017 13:39:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 22 Aug 2017 13:39:05 GMT) (full text, mbox, link).
Message #15 received at 872854-close@bugs.debian.org (full text, mbox, reply):
Source: dnsdist
Source-Version: 1.2.0-1
We believe that the bug you reported is fixed in the latest version of
dnsdist, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 872854@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Hofstaedtler <zeha@debian.org> (supplier of updated dnsdist package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 22 Aug 2017 09:47:47 +0000
Source: dnsdist
Binary: dnsdist
Architecture: source
Version: 1.2.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
Changed-By: Christian Hofstaedtler <zeha@debian.org>
Description:
dnsdist - DNS loadbalancer
Closes: 872854
Changes:
dnsdist (1.2.0-1) unstable; urgency=medium
.
* New upstream version 1.2.0, fixes CVE-2016-7069, CVE-2017-7557.
(Closes: #872854)
* Install config example
* Remove now-default options to dh
* Force rebuild of dnslabeltext.cc
* Update debian/copyright
* Bump Standards-Version to 4.1.0
Checksums-Sha1:
b355f80d24299ddfd5373a49d533b10b41fa3e7d 2291 dnsdist_1.2.0-1.dsc
c1af8fbf8a4c5a5bbb1c5154974cf640ffa26acb 876104 dnsdist_1.2.0.orig.tar.bz2
ed06b35189497695c2d4681d763886e208371184 525 dnsdist_1.2.0.orig.tar.bz2.asc
5f6777bf620983167f720728a6eca17275b9a1c4 15532 dnsdist_1.2.0-1.debian.tar.xz
df797bd509a16ebcf08fbe0779d090de9b91c4b5 5759 dnsdist_1.2.0-1_source.buildinfo
Checksums-Sha256:
886bce16efd38848e701115a1dfd06be30bf2135bf547fc32a551b3d8e3b5290 2291 dnsdist_1.2.0-1.dsc
9885c9ee8ac7076aede586ea58d4642eb877e7b2d76c902254494e2a5a5faa78 876104 dnsdist_1.2.0.orig.tar.bz2
30fa061947a940bb4c3723f967c921c96e9f95e3babf44fe3abe7896bcc1c9f3 525 dnsdist_1.2.0.orig.tar.bz2.asc
90d70833f3f60054e0c29b2d2138f7d8461a55582ade5637698b014710cd60b6 15532 dnsdist_1.2.0-1.debian.tar.xz
7625d84a809016b346eea31844084f96dcacaddbf484ddcc44d93fedb3799462 5759 dnsdist_1.2.0-1_source.buildinfo
Files:
7dd59e2f2780a24b08aea281860de8a9 2291 net optional dnsdist_1.2.0-1.dsc
4d3752fb995951362ae83f219436f0f8 876104 net optional dnsdist_1.2.0.orig.tar.bz2
16892ad68b7116b73498ffbb74ac1273 525 net optional dnsdist_1.2.0.orig.tar.bz2.asc
26a9d9bdaa41b1315f0574bca4cf5342 15532 net optional dnsdist_1.2.0-1.debian.tar.xz
7c851035381afa42a83dd984bc79d185 5759 net optional dnsdist_1.2.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfRrP+tnggGycTNOSXBPW25MFLgMFAlmcL70ACgkQXBPW25MF
LgPkbw//ZJa0XxCoUcBTKjUeW+ilafgn3ZZHWSuM9TDpz74zcjlZXjE2Ktg59dzR
RtWMTCv9ghHO56TYmr5Aj8LTj9rqNrNNpZaTjU062OA2E4n2D71Rw49d4hPCVvVk
vRMj+7LiKa8e4Kfr8QIwEvNubJfZK+1WUMDdmrUUyALAz7rXS7M1uDWnutI2rOx+
lGqRFi0C8yD0AaAlpMjYhM/HtmYynpkwUha13FmHPXFc2G1sk83s6rc6MIRjaym2
g6LpJVAiYz5pXBHcYmNEcigyScKbpG5VWc9EUtZtEPxCEZ6LjgBhENIK+rbPKnAp
VvSCORSWE1CU/4ZmPAB+lSZkZV40di03t3CuQs6a/THt7xciXdWqIDd2cvKEoR+/
K296GjL2IBHvI/3z9tqnBn/xC0RCbCR8gOvHtPXgB1AQYVZ/INVQ0UodEcKNwuIT
OoeSOJtHw9yjUYcGHDzy+hPxzyJJO2SE5pO3clD2cVCth91GSO/bYTD88QTInK8C
SvNqonM6Hn6Z7YQRMk03Xfqb4J0pYj9KbYKcQe85846qWkqbr6akE6RN0674i5rc
xfGs885WtCEsT5BeHBJPPWcwyPcciq86PWKw9UMrf+2S1i1fXMaEUFxO+RG+wt8+
qqrnAqeSIRKO+WA5PEaLh/JKfKAnjT9d+osv8AThhM+akz55348=
=M5zw
-----END PGP SIGNATURE-----
Reply sent
to Christian Hofstaedtler <zeha@debian.org>:
You have taken responsibility.
(Wed, 23 Aug 2017 20:51:38 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 23 Aug 2017 20:51:38 GMT) (full text, mbox, link).
Message #20 received at 872854-close@bugs.debian.org (full text, mbox, reply):
Source: dnsdist
Source-Version: 1.1.0-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
dnsdist, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 872854@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Hofstaedtler <zeha@debian.org> (supplier of updated dnsdist package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 22 Aug 2017 13:58:05 +0000
Source: dnsdist
Binary: dnsdist
Architecture: source
Version: 1.1.0-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
Changed-By: Christian Hofstaedtler <zeha@debian.org>
Description:
dnsdist - DNS loadbalancer
Closes: 872854
Changes:
dnsdist (1.1.0-2+deb9u1) stretch; urgency=medium
.
* Fix CVE-2016-7069, CVE-2017-7557 using patches from upstream
(Closes: #872854)
Checksums-Sha1:
32702518836a4ebc4117bfaf1b177409ae4bdd67 2087 dnsdist_1.1.0-2+deb9u1.dsc
8653d12d19c9fd88925fc03f904862e2e2c5dadd 13012 dnsdist_1.1.0-2+deb9u1.debian.tar.xz
fd806280a9bd2d054909cfd0ec08fdae080c4c1c 5787 dnsdist_1.1.0-2+deb9u1_source.buildinfo
Checksums-Sha256:
61f0285c2fff7664229597172f976585fa4f31f160b2416d9526fe40c5b0e24a 2087 dnsdist_1.1.0-2+deb9u1.dsc
13c9d651b5b30219a63739356c3315c30e506b1ace36a7411c17e2374c5e3c0c 13012 dnsdist_1.1.0-2+deb9u1.debian.tar.xz
9063f6865c9aabb76cd1f0c89dc882ac89d9b1377e0ebb81db1c47d695dca8f5 5787 dnsdist_1.1.0-2+deb9u1_source.buildinfo
Files:
a363fd828497549f91f7a0aef9657033 2087 net optional dnsdist_1.1.0-2+deb9u1.dsc
3a38a7a74d6ce303c069340368aad476 13012 net optional dnsdist_1.1.0-2+deb9u1.debian.tar.xz
1f2af861e47e2c7a253252a17d440df7 5787 net optional dnsdist_1.1.0-2+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfRrP+tnggGycTNOSXBPW25MFLgMFAlmcslwACgkQXBPW25MF
LgNT8w/+NQza5enKHWz6qOr+hrI4hJy8fkxuBQZ5DwtTtz+o9wW7ivHFm74UWUYg
+QlUVyDyqd65pSXH0Hg8WACwm8euGOGV/Ay1R5sDfmFOeW1E3lHPOleDZ39HEY+o
0TpDxOoaG8n+HW810hzRtTgaZEmXm6lGbkR8UPOuuNW30MaLnModDRU8OW6IaDjc
RL9aajQg1yDciuri92+5i4LiUZ2zcwBQfePA6haG6fqZASgF3MrL+4zg5QnzrxPS
ouGQEsbPSpKaWxauK++Eeo8L6zOa/fy00Lr9szkqLFcVua+aQCTn7VK3NqG9VCib
puzJDuQF+QzywdPu46AoPc6erOwQTGN3j8NRKHi0VzUPXXPlJ6WsZuF8Tmtwh+KU
Ew815tuXF8J4FVbtOrK1VKLzHutSGkVOuNTeg33Uy6HP0tbr5yz3Vjo/3I5NO27m
l7k3cfPVWrqALeTE9ZoESfxL/jj5KpHfrh4Ma9ucW9rmOBzaZBt57Pgxkzz/kGQX
hkTHJduOBrH7ivKXMLPowNBZnE70b0xLwksZUboPY4WJOSGsYexHkAd7DmWLItxp
4GVAd5JIsIQMG46uX+l/1Sh4HseVb/mxb1ZS1xAzm13Gcs0OxpMdyMrfo+rRRzi6
TeLX895p+BSCTe5GwNjos0X5epdG07wbX5bECi/iJ+sCo7kNd6I=
=PDuX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Sep 2017 07:28:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:43:45 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon