Your message dated Wed, 17 Sep 2008 15:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#492698: fixed in adns 1.4-2
has caused the Debian Bug report #492698,
regarding appears to be vulnerable to cache poisoning attack CVE-2008-1447
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
492698: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492698
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: adns
Version: 1.4-0.1
Severity: important
Tags: security
Hi,
From inspecting the code of ands, it seems that it is not using the
recommended source port randomisation for countering the cache poisoning
attack as discovered by Dan Kaminski and referenced as CVE-2008-1447.
Since this is a stub resolver the risk is lesser than for caching nameservers,
but nonetheless this is an issue which we really should be fixing in lenny.
Can you please look into that? As it seems a fix for important bugs can still
be granted a freeze exception.
If a straghtforward fix is available for etch, it would be released by the
security team.
thanks,
Thijs
pgpqcHSxXQPD5.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: adns
Source-Version: 1.4-2
We believe that the bug you reported is fixed in the latest version of
adns, which is due to be installed in the Debian FTP archive:
adns-tools_1.4-2_amd64.deb
to pool/main/a/adns/adns-tools_1.4-2_amd64.deb
adns-tools_1.4-2_i386.deb
to pool/main/a/adns/adns-tools_1.4-2_i386.deb
adns_1.4-2.diff.gz
to pool/main/a/adns/adns_1.4-2.diff.gz
adns_1.4-2.dsc
to pool/main/a/adns/adns_1.4-2.dsc
libadns1-dev_1.4-2_amd64.deb
to pool/main/a/adns/libadns1-dev_1.4-2_amd64.deb
libadns1-dev_1.4-2_i386.deb
to pool/main/a/adns/libadns1-dev_1.4-2_i386.deb
libadns1_1.4-2_amd64.deb
to pool/main/a/adns/libadns1_1.4-2_amd64.deb
libadns1_1.4-2_i386.deb
to pool/main/a/adns/libadns1_1.4-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robert S. Edmonds <[EMAIL PROTECTED]> (supplier of updated adns package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 17 Sep 2008 10:37:36 -0400
Source: adns
Binary: libadns1-dev adns-tools libadns1
Architecture: amd64 i386 source
Version: 1.4-2
Distribution: unstable
Urgency: low
Maintainer: Robert S. Edmonds <[EMAIL PROTECTED]>
Changed-By: Robert S. Edmonds <[EMAIL PROTECTED]>
Closes: 435593 491513 492698
Description:
adns-tools - Asynchronous-capable DNS client library and utilities
libadns1 - Asynchronous-capable DNS client library and utilities
libadns1-dev - Asynchronous-capable DNS client library and utilities
Changes:
adns (1.4-2) unstable; urgency=low
.
* Acknowledge NMU.
* libadns1 'Recommends: libadns1-bin' to 'Suggests: adns-tools'; closes:
#435593, #491513.
* Document CVE-2008-1447 / CVE-2008-4100 poisoning vulnerability in
README.Debian; closes: #492698.
Checksums-Sha1:
2aa3ed7cb7d30f3fc5d025be58c9c0e7846b807f 80538 libadns1-dev_1.4-2_amd64.deb
2ab41c45ebfdd14c327e3a3a1a6a9c0cdc35a83f 44110 adns-tools_1.4-2_amd64.deb
4f7a65b59bb50486d01779a48320618c4f6929e1 58400 libadns1_1.4-2_i386.deb
646c885d5370eb004a41a1b1d661bc64cc6e4049 73584 libadns1-dev_1.4-2_i386.deb
b72f54616f26c971e7a56ec2b969cb459923c457 1006 adns_1.4-2.dsc
a45bf6b32ddaa49476b45a44137b341bd27351cd 5717 adns_1.4-2.diff.gz
b45aed9d9183fcc32d409330eee49d3caaf4a025 41252 adns-tools_1.4-2_i386.deb
fb4b7b1aa7e12824282b666cd38ba4d119912756 62862 libadns1_1.4-2_amd64.deb
Checksums-Sha256:
3d14c5538a86e0017abbac46b3aa4963c873d0c4359f3733fdf2ba227d3a110d 5717
adns_1.4-2.diff.gz
5dc0fbd58cbdeed42253986921616ef159c2c27b50c52e9d488fb4049cb6716c 1006
adns_1.4-2.dsc
679a4aaa37f367dff948911442738a4506abc0546b372a5a9126cc1098159a32 62862
libadns1_1.4-2_amd64.deb
7c22ac6b36bd9e4f4e0ae4c04d74e355057bc2416372f2033b613292ec580baa 41252
adns-tools_1.4-2_i386.deb
80e44ee0e79defb4c1157790c32b552b285a864e1e3ca00d283d2b5b99a769ea 58400
libadns1_1.4-2_i386.deb
858fedf53da627cfe8f9ad4cbaac7404646ec3646b1154f8eb6b234ce3afc5d2 80538
libadns1-dev_1.4-2_amd64.deb
a30753bee8d5bacd05674ab0ff435d1a38eb812662a3b8db984be4ffe49eb141 44110
adns-tools_1.4-2_amd64.deb
e2698d75cc4a498833c36023d83a160ab3c957106720dc104c710ac01895f2de 73584
libadns1-dev_1.4-2_i386.deb
Files:
37680562609d8b727540f855dd70651a 5717 devel optional adns_1.4-2.diff.gz
56e68ddde3d0398a3fa8c6ad901ff772 41252 net optional adns-tools_1.4-2_i386.deb
2b447743b57a4d32d60de2e725637531 1006 devel optional adns_1.4-2.dsc
642d241ebcfef3d077937bc94715ade8 44110 net optional adns-tools_1.4-2_amd64.deb
a2d435da9ecc18e424c4e4a3eb5afc0c 58400 libs optional libadns1_1.4-2_i386.deb
be924815e37795755c50ef87c8b1eb3d 62862 libs optional libadns1_1.4-2_amd64.deb
d479f46f97be8d1410035ead1dd26464 73584 libdevel optional
libadns1-dev_1.4-2_i386.deb
dd3f6946a3a7fbe1df1e4835f5bd88a4 80538 libdevel optional
libadns1-dev_1.4-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjRHqkACgkQdp+/SHMBQJGVrQCgh5vU9WQeUBHkusSzjU+RUnyc
ULcAn2sk5X5jbP1u0/i32P6zpYgFMQbE
=aW2b
-----END PGP SIGNATURE-----
--- End Message ---
