Hi Michael, On Mon, May 29, 2017 at 02:04:17PM +0200, Michael Biebl wrote: > Hi Salvatore! > > On Wed, 24 May 2017 20:27:22 +0200 Salvatore Bonaccorso > <car...@debian.org> wrote: > > Source: systemd > > Version: 232-23 > > Severity: important > > Tags: patch upstream security > > Forwarded: https://github.com/systemd/systemd/pull/5998 > > > > Hi, > > > > the following vulnerability was published for systemd. > > > > CVE-2017-9217[0]: > > | systemd-resolved through 233 allows remote attackers to cause a denial > > | of service (daemon crash) via a crafted DNS response with an empty > > | question section. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2017-9217 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9217 > > [1] https://github.com/systemd/systemd/pull/5998 > > [2] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396 > > [3] https://bugzilla.novell.com/show_bug.cgi?id=1040614 > > > > Please adjust the affected versions in the BTS as needed. I think the > > version in jessie should not be affected; unless I'm wrong (and then > > please correct me) the resolved: DNS client stub resolver was only > > introduced post v216, and the issue maybe even later (post v219). But > > would be greatly appreciated if you can confirm that. > > I've marked it as found in v217-1, as this was the first version after > v216 uploaded to the archive. It doesn't matter to much if it's v217 or > v219 I think. Those uploads all landed in experimental at that time.
Ack thanks. > As for the bug itself: We don't enable resolved by default in Debian: Do > you think this bug is important enough that we should get this into 9.0? > I'd have to ask for an unlock request then. > > Otherwise I'd just queue this fix in the stretch branch and try to get > this into 9.1. *If* you have other fixes which should go in stretch, then it might be good to include it. Otherwise I agree, can be fixed in buster and then in stretch via a point release! > For now, I'll apply this fix to v233 which is currently in experimental. Ok! Regards, Salvatore
