Your message dated Sat, 30 May 2009 11:52:55 +0000
with message-id <e1man7p-0000qx...@ries.debian.org>
and subject line Bug#529418: fixed in nsd3 3.2.2-1
has caused the Debian Bug report #529418,
regarding Critical off-by-one error in NSD3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
529418: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529418
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: nsd3
Version: 3.0.7-3.lenny1
Severity: grave
Tags: security
Dear NSD users and maintainers,
We have released version 3.2.2. of NSD. This is *critical* bugfix
release. One of the bugs is a one-byte buffer overflow that allows a
carefully crafted exploit to take down your name-server. It is highly
unlikely that the one-byte-off issue can lead to other (system) exploits.
The bug affects all version of NSD 2.0.0 to 3.2.1. Whether the bug can
be exploited to depends on various aspects of the OS and is therefore
distribution and compiler dependent.
For more information:
http://www.nlnetlabs.nl/publications/NSD_vulnerability_announcement.html
We strongly recommend you to update your systems to the latest version.
If you have reasons for not running the latest version of NSD, we
strongly advise you to at least apply the patch that resolves the
critical bug.
The source and patches are available at our website:
http://www.nlnetlabs.nl/downloads/nsd/nsd-3.2.2.tar.gz
http://www.nlnetlabs.nl/downloads/nsd/nsd-3.2.1-vuln.patch
http://www.nlnetlabs.nl/downloads/nsd/nsd-2.3.7-vuln.patch
SHA1 checksum (source): 23fc0be5d447ea852acd49f64743c96403a091fa
SHA1 checksum (patch 3.2.1): 20cb9fc73fae951a9cc25822c48b17ca1d956119
SHA1 checksum (patch 2.3.7): 94887d212621b458a86ad5b086eec9240477
Note that NSD 2.X is feature frozen and security patches may not be made
available in future events.
We acknowledge and thank Ilja von Sprundel of IOActive for finding and
reporting this bug.
Matthijs Mekking
NLnet Labs
RELNOTES:
BUG FIXES:
- - Off-by-one buffer overflow fix while processing the QUESTION section.
- - Return BADVERS when NSD does not implement the VERSION level of the
request, instead of 0x1<FORMERR>.
- - Bugfix #234.
- - Bugfix #235.
- - Reset 'error occurred' after notifying an error occurred at the $TTL
or $ORIGIN directive (Otherwise, the whole zone is skipped because the
error is reset after reading the SOA).
- - Minor bugfixes.
--
Ondřej Surý <ond...@sury.org>
http://blog.rfc1925.org/
--- End Message ---
--- Begin Message ---
Source: nsd3
Source-Version: 3.2.2-1
We believe that the bug you reported is fixed in the latest version of
nsd3, which is due to be installed in the Debian FTP archive:
nsd3_3.2.2-1.diff.gz
to pool/main/n/nsd3/nsd3_3.2.2-1.diff.gz
nsd3_3.2.2-1.dsc
to pool/main/n/nsd3/nsd3_3.2.2-1.dsc
nsd3_3.2.2-1_amd64.deb
to pool/main/n/nsd3/nsd3_3.2.2-1_amd64.deb
nsd3_3.2.2.orig.tar.gz
to pool/main/n/nsd3/nsd3_3.2.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 529...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Habouzit <madco...@debian.org> (supplier of updated nsd3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 30 May 2009 11:47:17 +0200
Source: nsd3
Binary: nsd3
Architecture: source amd64
Version: 3.2.2-1
Distribution: unstable
Urgency: low
Maintainer: Pierre Habouzit <madco...@debian.org>
Changed-By: Pierre Habouzit <madco...@debian.org>
Description:
nsd3 - authoritative domain name server (3.x series)
Closes: 529418 530152
Changes:
nsd3 (3.2.2-1) unstable; urgency=low
.
* New upstream release (Closes: #529418).
* Fix bashism in nsdc.sh (Closes: #530152).
* Add 0005-Force-dbdir-to-be-var-lib-nsd3-by-patching-configure.patch
to fix the use of /var/db.
Checksums-Sha1:
5b5474f92855cdaa2b7406a0e9817d338585ec0e 1091 nsd3_3.2.2-1.dsc
23fc0be5d447ea852acd49f64743c96403a091fa 840917 nsd3_3.2.2.orig.tar.gz
57962703480031c1746e711c756d399f50d81912 7392 nsd3_3.2.2-1.diff.gz
87281e53bbb1f492bf36a17e1265d7e3f38e6c20 905532 nsd3_3.2.2-1_amd64.deb
Checksums-Sha256:
0040b2411908018ed1a216701d2776ada696dd2eaf66eb45ec5e42a4fa75a1c2 1091
nsd3_3.2.2-1.dsc
d538600eba68c6b4c297f3a2bfc89c48427ccb5dbba0ea29b93ad258d14c4343 840917
nsd3_3.2.2.orig.tar.gz
411cfaa5d93a684011a4793ea99c1e7a9d4bb022d9b8e3f742a37567a6e44f17 7392
nsd3_3.2.2-1.diff.gz
01bb5bb901bad097e15a6a73f9469715b0e0ada55d4007e5963fb254b2504ca6 905532
nsd3_3.2.2-1_amd64.deb
Files:
fe3c083814ad0419c8f4ec09e153f174 1091 net extra nsd3_3.2.2-1.dsc
a0dcb0a3b3c1a8d386125eeafe403f58 840917 net extra nsd3_3.2.2.orig.tar.gz
8bfdfad2c94d7bb4a8daa25769e44f0c 7392 net extra nsd3_3.2.2-1.diff.gz
d759f6aa304ace9ba9fbca3baee49561 905532 net extra nsd3_3.2.2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkohB2AACgkQvGr7W6HudhxNiACeI8a52/1/0R6PZT3EA6LhR5e+
HEAAnifKTCVpxyfpODELOyLtIS/+oMvZ
=+rvj
-----END PGP SIGNATURE-----
--- End Message ---
