Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2016-6173

Source

Debian Bug report logs - #830806
nsd: CVE-2016-6173: Improper restriction of zone size limit

Package: src:nsd; Maintainer for src:nsd is nsd packagers <nsd@packages.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 11 Jul 2016 18:33:06 UTC

Severity: important

Tags: patch, security, upstream

Found in versions nsd/4.1.0-3, nsd/4.1.10-1

Fixed in version nsd/4.1.11-1

Done: Markus Schade <markus.schade@gmail.com>

Bug is archived. No further changes may be made.

Forwarded to https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>:
Bug#830806; Package src:nsd. (Mon, 11 Jul 2016 18:33:10 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>. (Mon, 11 Jul 2016 18:33:10 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: nsd
Version: 4.1.10-1
Severity: important
Tags: security upstream patch
Forwarded: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790

Hi,

the following vulnerability was published for nsd.

CVE-2016-6173[0]:
Improper restriction of zone size limit

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-6173
[1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Information forwarded to debian-bugs-dist@lists.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>:
Bug#830806; Package src:nsd. (Mon, 11 Jul 2016 18:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>. (Mon, 11 Jul 2016 18:39:03 GMT) (full text, mbox, link).

Message #10 received at 830806@bugs.debian.org (full text, mbox, reply):

Hi Salvatore,

the common agreement between DNS Vendors (that includes me) is that this
shouldn't have been assigned CVE as it is an operational issue as you
have an established trust between DNS master-slave for transfers. (And
all DNS servers are affected.)

I don't think this really needs update in stable, but I would like to
hear whether you think otherwise.

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Potřeby pro pečení chleba
všeho druhu

On Mon, Jul 11, 2016, at 20:30, Salvatore Bonaccorso wrote:
> Source: nsd
> Version: 4.1.10-1
> Severity: important
> Tags: security upstream patch
> Forwarded: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790
> 
> Hi,
> 
> the following vulnerability was published for nsd.
> 
> CVE-2016-6173[0]:
> Improper restriction of zone size limit
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-6173
> [1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore
> 
> -- System Information:
> Debian Release: stretch/sid
>   APT prefers unstable
>   APT policy: (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> _______________________________________________
> pkg-dns-devel mailing list
> pkg-dns-devel@lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-dns-devel

Marked as found in versions nsd/4.1.0-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 11 Jul 2016 18:42:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>:
Bug#830806; Package src:nsd. (Mon, 11 Jul 2016 18:51:09 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>. (Mon, 11 Jul 2016 18:51:09 GMT) (full text, mbox, link).

Message #17 received at 830806@bugs.debian.org (full text, mbox, reply):

Hi Ondrej,

On Mon, Jul 11, 2016 at 08:36:07PM +0200, Ondřej Surý wrote:
> Hi Salvatore,
> 
> the common agreement between DNS Vendors (that includes me) is that this
> shouldn't have been assigned CVE as it is an operational issue as you
> have an established trust between DNS master-slave for transfers. (And
> all DNS servers are affected.)
> 
> I don't think this really needs update in stable, but I would like to
> hear whether you think otherwise.

No I completely agree, we actually have marked all those already as
no-dsa (for src:nsd, src:pdns, src:bind9 and src:knot). But filling
those as well in BTS to have the reference in BTS.

Thanks for your quick response, amazing :-)

Salvatore

Marked as fixed in versions nsd/4.1.11-1. Request was from Markus Schade <markus.schade@gmail.com> to control@bugs.debian.org. (Fri, 26 Oct 2018 09:00:10 GMT) (full text, mbox, link).

Marked Bug as done Request was from Markus Schade <markus.schade@gmail.com> to control@bugs.debian.org. (Fri, 26 Oct 2018 09:00:10 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 26 Oct 2018 09:00:11 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 29 Nov 2018 07:25:11 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:34:58 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

nsd: CVE-2016-6173: Improper restriction of zone size limit

Debian Bug report logs - #830806
nsd: CVE-2016-6173: Improper restriction of zone size limit

Vulmon Search

About

Products

Connect

nsd: CVE-2016-6173: Improper restriction of zone size limit

Debian Bug report logs - #830806 nsd: CVE-2016-6173: Improper restriction of zone size limit

Vulmon Search

About

Products

Connect

Debian Bug report logs - #830806
nsd: CVE-2016-6173: Improper restriction of zone size limit