On Mon, Jan 28, 2013 at 07:37:03AM +0100, Moritz Muehlenhoff wrote: > Package: bind9 > Severity: grave > Tags: security > Justification: user security hole > > Please see https://kb.isc.org/article/AA-00855 for details.
Hello, I'm providing a summary of the issue following my investigation as a non-bind9 developer: - a DoS (server crash with assertion failure) in a rare configuration involving both DNS64 and Response Policy Zones, when maintaining A rewrite rules but not AAAA rewrite rules - the workaround is to make sure the RPZ contains a AAAA rewrite rule for every A rewrite rule - there is no production-quality patch available upstream (but there is a patch in 9.8.5b1). "However, the suggested workaround is a complete remedy for those who are using DNS64 in conjunction with RPZ, and is recommended in preference to running beta code in a production environment." Given these, I am not convinced that this should be RC for wheezy. How about a NEWS item drawing attention to the issue and workaround, and a downgrade to important? Note: I was unable to find any public upstream VCS for BIND 9 so was unable to easily find the relevant patch. Could the BIND 9 maintainers comment on whether they would consider including the patch? Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
