Debian Bug report logs -
#830806
nsd: CVE-2016-6173: Improper restriction of zone size limit
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
:
Bug#830806
; Package src:nsd
.
(Mon, 11 Jul 2016 18:33:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
.
(Mon, 11 Jul 2016 18:33:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: nsd
Version: 4.1.10-1
Severity: important
Tags: security upstream patch
Forwarded: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790
Hi,
the following vulnerability was published for nsd.
CVE-2016-6173[0]:
Improper restriction of zone size limit
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-6173
[1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
:
Bug#830806
; Package src:nsd
.
(Mon, 11 Jul 2016 18:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@sury.org>
:
Extra info received and forwarded to list. Copy sent to Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
.
(Mon, 11 Jul 2016 18:39:03 GMT) (full text, mbox, link).
Message #10 received at 830806@bugs.debian.org (full text, mbox, reply):
Hi Salvatore,
the common agreement between DNS Vendors (that includes me) is that this
shouldn't have been assigned CVE as it is an operational issue as you
have an established trust between DNS master-slave for transfers. (And
all DNS servers are affected.)
I don't think this really needs update in stable, but I would like to
hear whether you think otherwise.
Cheers,
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Potřeby pro pečení chleba
všeho druhu
On Mon, Jul 11, 2016, at 20:30, Salvatore Bonaccorso wrote:
> Source: nsd
> Version: 4.1.10-1
> Severity: important
> Tags: security upstream patch
> Forwarded: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790
>
> Hi,
>
> the following vulnerability was published for nsd.
>
> CVE-2016-6173[0]:
> Improper restriction of zone size limit
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-6173
> [1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
> -- System Information:
> Debian Release: stretch/sid
> APT prefers unstable
> APT policy: (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> _______________________________________________
> pkg-dns-devel mailing list
> pkg-dns-devel@lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-dns-devel
Marked as found in versions nsd/4.1.0-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 11 Jul 2016 18:42:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
:
Bug#830806
; Package src:nsd
.
(Mon, 11 Jul 2016 18:51:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
.
(Mon, 11 Jul 2016 18:51:09 GMT) (full text, mbox, link).
Message #17 received at 830806@bugs.debian.org (full text, mbox, reply):
Hi Ondrej,
On Mon, Jul 11, 2016 at 08:36:07PM +0200, Ondřej Surý wrote:
> Hi Salvatore,
>
> the common agreement between DNS Vendors (that includes me) is that this
> shouldn't have been assigned CVE as it is an operational issue as you
> have an established trust between DNS master-slave for transfers. (And
> all DNS servers are affected.)
>
> I don't think this really needs update in stable, but I would like to
> hear whether you think otherwise.
No I completely agree, we actually have marked all those already as
no-dsa (for src:nsd, src:pdns, src:bind9 and src:knot). But filling
those as well in BTS to have the reference in BTS.
Thanks for your quick response, amazing :-)
Salvatore
Marked as fixed in versions nsd/4.1.11-1.
Request was from Markus Schade <markus.schade@gmail.com>
to control@bugs.debian.org
.
(Fri, 26 Oct 2018 09:00:10 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Markus Schade <markus.schade@gmail.com>
to control@bugs.debian.org
.
(Fri, 26 Oct 2018 09:00:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 26 Oct 2018 09:00:11 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 29 Nov 2018 07:25:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:34:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.