Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

dnsdist: CVE-2018-14663: Record smuggling when adding ECS or XPF

Related Vulnerabilities: CVE-2018-14663  

Source

Debian Bug report logs - #913231
dnsdist: CVE-2018-14663: Record smuggling when adding ECS or XPF

version graph

Package: src:dnsdist; Maintainer for src:dnsdist is dnsdist packagers <dnsdist@packages.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 8 Nov 2018 14:39:01 UTC

Severity: important

Tags: security, upstream

Found in versions dnsdist/1.1.0-2+deb9u1, dnsdist/1.1.0-2, dnsdist/1.3.2-1

Fixed in version dnsdist/1.3.3-1

Done: Chris Hofstaedtler <zeha@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, dnsdist packagers <dnsdist@packages.debian.org>:
Bug#913231; Package src:dnsdist. (Thu, 08 Nov 2018 14:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, dnsdist packagers <dnsdist@packages.debian.org>. (Thu, 08 Nov 2018 14:39:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dnsdist: CVE-2018-14663: Record smuggling when adding ECS or XPF
Date: Thu, 08 Nov 2018 15:36:07 +0100
Source: dnsdist
Version: 1.3.2-1
Severity: important
Tags: security upstream
Control: found -1 1.1.0-2
Control: found -1 1.1.0-2+deb9u1

Hi,

The following vulnerability was published for dnsdist.

CVE-2018-14663[0]:
Record smuggling when adding ECS or XPF

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-14663
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14663
[1] https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2018-08.html

Regards,
Salvatore

Marked as found in versions dnsdist/1.1.0-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Thu, 08 Nov 2018 14:39:04 GMT) (full text, mbox, link).

Marked as found in versions dnsdist/1.1.0-2+deb9u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Thu, 08 Nov 2018 14:39:04 GMT) (full text, mbox, link).

Reply sent to Chris Hofstaedtler <zeha@debian.org>:
You have taken responsibility. (Fri, 09 Nov 2018 20:39:08 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 09 Nov 2018 20:39:08 GMT) (full text, mbox, link).

Message #14 received at 913231-close@bugs.debian.org (full text, mbox, reply):

From: Chris Hofstaedtler <zeha@debian.org>
To: 913231-close@bugs.debian.org
Subject: Bug#913231: fixed in dnsdist 1.3.3-1
Date: Fri, 09 Nov 2018 20:35:57 +0000
Source: dnsdist
Source-Version: 1.3.3-1

We believe that the bug you reported is fixed in the latest version of
dnsdist, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 913231@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Hofstaedtler <zeha@debian.org> (supplier of updated dnsdist package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 09 Nov 2018 19:34:32 +0000
Source: dnsdist
Binary: dnsdist
Architecture: source
Version: 1.3.3-1
Distribution: unstable
Urgency: medium
Maintainer: dnsdist packagers <dnsdist@packages.debian.org>
Changed-By: Chris Hofstaedtler <zeha@debian.org>
Description:
 dnsdist    - DNS loadbalancer
Closes: 913231
Changes:
 dnsdist (1.3.3-1) unstable; urgency=medium
 .
   * New upstream version 1.3.3, including fix for CVE-2018-14663
     (Closes: #913231).
Checksums-Sha1:
 a86757f1e6508a7b1a6d9302c2d114dfb89b9bfc 2060 dnsdist_1.3.3-1.dsc
 18f667b8e7f7918723c5d6721160c3aed8ebd0a1 971253 dnsdist_1.3.3.orig.tar.bz2
 eb295779f0c5da81ed3da5d880c3e79f4f308a61 15852 dnsdist_1.3.3-1.debian.tar.xz
 10ebe275578f793a3c4cbf88c969aaacb08c9be8 6925 dnsdist_1.3.3-1_source.buildinfo
Checksums-Sha256:
 61053453181eab2596ed7e058ea45c812f23be489f7af6e36d84785cbef01128 2060 dnsdist_1.3.3-1.dsc
 9fb24f9032025955169f3c6e9b0a05b6aa9d6441ec47da08d22de1c1aa23e8cf 971253 dnsdist_1.3.3.orig.tar.bz2
 db78e193fece07b51038fc6f828dd4f3d669edf7d544e4e7d058aaf18ec4b6ab 15852 dnsdist_1.3.3-1.debian.tar.xz
 8fd7bb8af9a2709014cc90f120cf22958168e4fce178d1dad94da78f68b40cc1 6925 dnsdist_1.3.3-1_source.buildinfo
Files:
 eea691bf8c769c36e479ca11126776b9 2060 net optional dnsdist_1.3.3-1.dsc
 6bbcdf5296ac5303e88d779d1d57a4df 971253 net optional dnsdist_1.3.3.orig.tar.bz2
 0a502d0261f51f1b882407f1db36714d 15852 net optional dnsdist_1.3.3-1.debian.tar.xz
 703fc93b7ad6b8219e23267f000a406b 6925 net optional dnsdist_1.3.3-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfRrP+tnggGycTNOSXBPW25MFLgMFAlvl4tQACgkQXBPW25MF
LgNMohAAj1V5JXweFREHKYI8e2whUJfzj3k3MRHfcIkokMSNYg+p8QTj1G4bp/28
z8EL6thpKiP9C5FYvd5RGFOCpLI9Qkbr9PoXmiXG+lXdR6BrHjDA3BCtPmXQdTnL
WQP7wizvpSbRso/NxBcn4VUu5xJRtBqRn+JrzR4W2RcEVsQfOMvUStRVlaHHS2pu
3+2DIdB9/s1DzZddqxC122DDt8XLyCmhNSs141tIbGvIshk5P+vRP7JYDUKj8cVI
1Qqh49+eix/c2zWtqvTXR1Uk3XqbiJg1+tYMb8GvHMPQM3CnRuG381dcZElAkYrO
fDHFcCSqRvY9VUvTLPTy9aYkvXB12Qp2VBzCkShnGNwhOTvMzIFiUTzySr6cYUrk
vLY1w0d/JijFhONzjFTl4zFsBc25TeXJoEFnyJI1sljrq3ZDAB03zE1tNwzzorMf
aLn1qP03LnbfkwfsWkqHC9I4goiq1g/Qa53XuvYxFwoZCNipFeOkninvg9RqAdjv
vCJUo3OhBCe8DqLj5c/hPlqobi0JHdGj3r6nVoa8m4uSzlP0hEt2ihTQyjyZh6Yt
TIo1/BsdWwemxa32DypvQsGgwRcsc/Od29Z4/Of4yfXfn/kSgsXW1zz5JXJRZqIp
r/Y4lZiOmtpkXTXwjdv7fK7z5rgAYE5RlP+DjkJK+ETE8O/LWLY=
=UJRO
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 14 Dec 2018 07:28:45 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:47:56 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook
Vulmon Logo
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started