Debian Bug report logs -
#830808
pdns: CVE-2016-6172: Improper restriction of zone size limit
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PowerDNS Maintainers <pkg-pdns-maintainers@lists.alioth.debian.org>:
Bug#830808; Package src:pdns.
(Mon, 11 Jul 2016 18:45:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PowerDNS Maintainers <pkg-pdns-maintainers@lists.alioth.debian.org>.
(Mon, 11 Jul 2016 18:45:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pdns
Version: 4.0.0~beta1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/PowerDNS/pdns/issues/4128
Hi,
the following vulnerability was published for pdns.
CVE-2016-6172[0]:
Improper restriction of zone size limit
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-6172
[1] https://github.com/PowerDNS/pdns/issues/4128
Please adjust the affected versions in the BTS as needed.
As mentioned at DebConf, this is a minor issue which does not warrant
a DSA. But it will be nice if you can fix this via a Jessie point
release. Thanks a lot for your work on pdns!
Regards,
Salvatore
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Marked as found in versions pdns/3.4.1-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 11 Jul 2016 18:48:04 GMT) (full text, mbox, link).
Reply sent
to Christian Hofstaedtler <zeha@debian.org>:
You have taken responsibility.
(Sat, 30 Jul 2016 22:27:29 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 30 Jul 2016 22:27:29 GMT) (full text, mbox, link).
Message #12 received at 830808-close@bugs.debian.org (full text, mbox, reply):
Source: pdns
Source-Version: 4.0.1-1
We believe that the bug you reported is fixed in the latest version of
pdns, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 830808@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Hofstaedtler <zeha@debian.org> (supplier of updated pdns package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 30 Jul 2016 20:38:41 +0000
Source: pdns
Binary: pdns-server pdns-tools pdns-backend-bind pdns-backend-pipe pdns-backend-ldap pdns-backend-geoip pdns-backend-mysql pdns-backend-odbc pdns-backend-pgsql pdns-backend-sqlite3 pdns-backend-lua pdns-backend-remote pdns-backend-opendbx pdns-backend-mydns pdns-backend-tinydns
Architecture: source
Version: 4.0.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
Changed-By: Christian Hofstaedtler <zeha@debian.org>
Description:
pdns-backend-bind - BIND backend for PowerDNS
pdns-backend-geoip - geoip backend for PowerDNS
pdns-backend-ldap - LDAP backend for PowerDNS
pdns-backend-lua - Lua backend for PowerDNS
pdns-backend-mydns - MyDNS compatibility backend for PowerDNS
pdns-backend-mysql - generic MySQL backend for PowerDNS
pdns-backend-odbc - generic UnixODBC backend for PowerDNS
pdns-backend-opendbx - OpenDBX backend for PowerDNS
pdns-backend-pgsql - generic PostgreSQL backend for PowerDNS
pdns-backend-pipe - pipe/coprocess backend for PowerDNS
pdns-backend-remote - remote backend for PowerDNS
pdns-backend-sqlite3 - sqlite 3 backend for PowerDNS
pdns-backend-tinydns - tinydns compatibility backend for PowerDNS
pdns-server - extremely powerful and versatile nameserver
pdns-tools - Tools for DNS debugging by PowerDNS
Closes: 828490 830808
Changes:
pdns (4.0.1-1) unstable; urgency=medium
.
* New upstream release, drop upstream applied patch. (Closes: #828490,
#830808)
Checksums-Sha1:
e2806177d0b5ea1825dab015451aba878ed6e303 3317 pdns_4.0.1-1.dsc
c70157875c78ffa64d39e9cd4b5b816c8efb58d3 1304788 pdns_4.0.1.orig.tar.bz2
17d667eab0f8e019c5e1e2fab1f22441b5635564 41740 pdns_4.0.1-1.debian.tar.xz
Checksums-Sha256:
b640af476ef3a67a9807c7f52234f55f80c9c4363f2dee1d9b5dd30c7d71391b 3317 pdns_4.0.1-1.dsc
d191eed4a6664430e85969f49835c59e810ecbb7b3eb506e64c6b2734091edd7 1304788 pdns_4.0.1.orig.tar.bz2
07ffb2e3c322511ad029a395c0ebb9cf5c25ba208bd872a50684e1f9e2d54a1b 41740 pdns_4.0.1-1.debian.tar.xz
Files:
a6cd7c8585fbb3938515ad6c76758ce3 3317 net extra pdns_4.0.1-1.dsc
d34a390672aa043f8a287e5bb2284f4a 1304788 net extra pdns_4.0.1.orig.tar.bz2
16fefc9156215c7bf54fa2f29d79deae 41740 net extra pdns_4.0.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXnRhPAAoJEFwT1tuTBS4DZacP/jD3SZiYgDlLYrACXUxJggwn
wcXlacZobdiSa/h6zxatnrtq39OV8ik7VC6qDrAUzyA1dLbB43vSUwOVMt2hJsfj
ckLilmQUEp+xj0h02r4uXqe3pzQGouLlQa77sAIPlgidvTgnwmr3jC5jgNT2V/op
pPcJbkJg36PMUjRIdj3A1hmYaUZuQMTXefXc1D/VQMC0RQwdoWeygcOnMt6ZsBAL
L89PiAKUrT0Bxm+kA7woP+VqgAA1oK+V3lt4/bnXRX5qYq+AgatJvQbqB9yVu0JO
PooRcVC/04dPDdTEsk47hZnTzXysslcFGDUrLzhu45tzDE/bL81pzBPBHjb96WMK
8Vf9Glunzo6rsgxtplEOjES8mW2gpA52eUjpoJg8UXNggtD5qY7kcUnOjWZHAv/s
vhTxP+NVtOzeRgJwXFs9AVxQLh9AwlGIEncxU0gzcUNEaPhkWxdLStAzSE4l2gqC
/AWQ+Z+DbeilubKglmvlL9Q0jau3fo4v9ygtV1aAInmaEi2XnXIAYh4N9eNLk9U3
KzdnLsEHjZpXHZeLbDBhnwaRPtXfo4S/FXAdm3aCPJ7iB1bKtRQgC5Joud9Ups0r
s3JN7oNOdp60mWElAvkueQKxGk8uDdWNbT9FVRKqH5j4rLcBk4HCO9bJbOujfzpB
lDz/+ezZKHiSJKJVWaFr
=uvjr
-----END PGP SIGNATURE-----
Bug reopened
Request was from Christian Hofstaedtler <zeha@debian.org>
to control@bugs.debian.org.
(Sun, 31 Jul 2016 01:12:07 GMT) (full text, mbox, link).
No longer marked as fixed in versions pdns/4.0.1-1.
Request was from Christian Hofstaedtler <zeha@debian.org>
to control@bugs.debian.org.
(Sun, 31 Jul 2016 01:12:08 GMT) (full text, mbox, link).
Marked as fixed in versions pdns/4.0.1-1.
Request was from Christian Hofstaedtler <zeha@debian.org>
to control@bugs.debian.org.
(Sun, 31 Jul 2016 01:15:03 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 10 Sep 2016 19:03:16 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 10 Sep 2016 19:03:16 GMT) (full text, mbox, link).
Message #23 received at 830808-close@bugs.debian.org (full text, mbox, reply):
Source: pdns
Source-Version: 3.4.1-4+deb8u6
We believe that the bug you reported is fixed in the latest version of
pdns, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 830808@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated pdns package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 02 Sep 2016 21:43:01 +0200
Source: pdns
Binary: pdns-server pdns-server-dbg pdns-backend-pipe pdns-backend-ldap pdns-backend-geo pdns-backend-mysql pdns-backend-pgsql pdns-backend-sqlite3 pdns-backend-lua pdns-backend-lmdb pdns-backend-remote pdns-backend-mydns
Architecture: source
Version: 3.4.1-4+deb8u6
Distribution: jessie-security
Urgency: high
Maintainer: Debian PowerDNS Maintainers <pkg-pdns-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 830808
Description:
pdns-backend-geo - geo backend for PowerDNS
pdns-backend-ldap - LDAP backend for PowerDNS
pdns-backend-lmdb - lmdb backend for PowerDNS
pdns-backend-lua - Lua backend for PowerDNS
pdns-backend-mydns - MyDNS compatibility backend for PowerDNS
pdns-backend-mysql - generic MySQL backend for PowerDNS
pdns-backend-pgsql - generic PostgreSQL backend for PowerDNS
pdns-backend-pipe - pipe/coprocess backend for PowerDNS
pdns-backend-remote - remote backend for PowerDNS
pdns-backend-sqlite3 - sqlite 3 backend for PowerDNS
pdns-server - extremely powerful and versatile nameserver
pdns-server-dbg - debugging symbols for PowerDNS
Changes:
pdns (3.4.1-4+deb8u6) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Reject qname's wirelength > 255, `chopOff()` handle dot inside labels.
CVE-2016-5426: PowerDNS Authoritative Server accepts queries with a
qname's length larger than 255 bytes.
CVE-2016-5427: PowerDNS Authoritative Server does not properly handle
dot inside labels.
* Limit size of receivable AXFR data.
CVE-2016-6172: Improper restriction of zone size limit (Closes: #830808)
Checksums-Sha1:
aa7ffad701c87f0613aa9817a8215099d763a3e9 3153 pdns_3.4.1-4+deb8u6.dsc
1316e2d970a88c23f2f9f24cad150d3bb76217ac 43480 pdns_3.4.1-4+deb8u6.debian.tar.xz
Checksums-Sha256:
880d0db914e0347a2c20c98fa56b27a6476f0bdaff190d2d52bdaff5bd14621c 3153 pdns_3.4.1-4+deb8u6.dsc
73427c623378f08a52db194360a0d810728cd4f74f098a918bc8fd316c004389 43480 pdns_3.4.1-4+deb8u6.debian.tar.xz
Files:
45eb4b69d3b0c2b3a30536d91fdffd73 3153 net extra pdns_3.4.1-4+deb8u6.dsc
2347b5aee88c02c6db6212c8f7b689a3 43480 net extra pdns_3.4.1-4+deb8u6.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIvBAEBCgAZBQJX0FxKEhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRKJI
D/9OKIKNr5YH3HXxdfxzkMBP9h7mRaODeUfnxtJYHFNu2l0SFhI/MUIboURq2853
sWjrwRvBa+aAv1QCXBVw737bjfbGENbb1xdW2bKKHBlfejarOp6KSfCrE1O3BK9j
IG22npGN6VfdkOzvNnJUAmnhh7r4Fx6BCD4lRxljuiz+xhNL1W3EZ5yXQ9r7+I8t
OXeNkv1UG3FzwOwAyV6xMHwZQHtpBxwJaxeqCPM6s8c3BjF16HQW4I7fuT1sNwyD
TBmzJ7YLx/UVOYhatYuAeZ4qGTTvYXJjDMn5hiF75Ls9/cVaqyFIa7QGkgBPM6mn
HS9bX+F/1j/EeWStGawrPrZ+wlVV0vUPBk3KM2p9+fnCT5DilKU3XkYOhl62KhvI
3wuXDj3PI6wPrbJ7My7wzdWAnceJ8Xv1jz9UnuYXXABEZADq+vdUwC+iRxMLASzD
XLxYNOMYBBk9tfA2dG638wupfaTSTnkLG0f0LIOeCPKO2kFLUchaTd9wyxP3bhmP
BwWsxvnAHuiXLehc55Y7SorbD1mzC5cjvaoLEXqgu/7+2H+QRWwdKrFbWny120Hy
1ViaLXZSI36yPhTnY2XUynpUbiCwMwFfVY/1L2HpBrf2BU2jikp0HaVGeQPJQALr
PyGOQT0ZKbUalpZYkGlPGqf/93gMX/5H9KlD2bLIYH23zw==
=AUbn
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 09 Oct 2016 07:25:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:48:21 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon