Hi Bernhard, On Sun, Dec 10, 2017 at 08:31:16PM +0100, Bernhard Schmidt wrote: > Version: 1:9.10.6+dfsg-1 > > On Mon, Jul 11, 2016 at 09:01:31PM +0200, Salvatore Bonaccorso wrote: > > Hi, > > > the following vulnerability was published for bind9. > > > > CVE-2016-6170[0]: > > | ISC BIND through 9.10.4-P1 allows primary DNS servers to cause a > > | denial of service (secondary DNS server crash) via a large AXFR > > | response, and possibly allows IXFR servers to cause a denial of > > | service (IXFR client crash) via a large IXFR response and allows > > | remote authenticated users to cause a denial of service (primary DNS > > | server crash) via a large UPDATE message. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2016-6170 > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1353563 > > > > Please adjust the affected versions in the BTS as needed. > > The upstream fix has landed in Debian in 1:9.10.6+dfsg-1 . It is an > additional configuration knob to limit the maximum size of the inbound > zone transfer. > > This is probably not important enough to backport. Looks like the > security team thinks the same? > https://security-tracker.debian.org/tracker/CVE-2016-6170
Yes exactly, thanks for ping-pointing the "fixed version" for unstable, I have updated the security-tracker information. Regards, Salvatore
