Your message dated Fri, 03 Jul 2009 19:54:36 +0000
with message-id <e1mmoqc-0000bf...@ries.debian.org>
and subject line Bug#529420: fixed in nsd 2.3.6-1+etch1
has caused the Debian Bug report #529420,
regarding Critical off-by-one error in NSD2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
529420: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529420
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: nsd
Version: 2.3.7-1.1
Severity: grave
Tags: security
Dear NSD users and maintainers,
We have released version 3.2.2. of NSD. This is *critical* bugfix
release. One of the bugs is a one-byte buffer overflow that allows a
carefully crafted exploit to take down your name-server. It is highly
unlikely that the one-byte-off issue can lead to other (system) exploits.
The bug affects all version of NSD 2.0.0 to 3.2.1. Whether the bug can
be exploited to depends on various aspects of the OS and is therefore
distribution and compiler dependent.
For more information:
http://www.nlnetlabs.nl/publications/NSD_vulnerability_announcement.html
We strongly recommend you to update your systems to the latest version.
If you have reasons for not running the latest version of NSD, we
strongly advise you to at least apply the patch that resolves the
critical bug.
The source and patches are available at our website:
http://www.nlnetlabs.nl/downloads/nsd/nsd-3.2.2.tar.gz
http://www.nlnetlabs.nl/downloads/nsd/nsd-3.2.1-vuln.patch
http://www.nlnetlabs.nl/downloads/nsd/nsd-2.3.7-vuln.patch
SHA1 checksum (source): 23fc0be5d447ea852acd49f64743c96403a091fa
SHA1 checksum (patch 3.2.1): 20cb9fc73fae951a9cc25822c48b17ca1d956119
SHA1 checksum (patch 2.3.7): 94887d212621b458a86ad5b086eec9240477
Note that NSD 2.X is feature frozen and security patches may not be made
available in future events.
We acknowledge and thank Ilja von Sprundel of IOActive for finding and
reporting this bug.
Matthijs Mekking
NLnet Labs
RELNOTES:
BUG FIXES:
- - Off-by-one buffer overflow fix while processing the QUESTION section.
- - Return BADVERS when NSD does not implement the VERSION level of the
request, instead of 0x1<FORMERR>.
- - Bugfix #234.
- - Bugfix #235.
- - Reset 'error occurred' after notifying an error occurred at the $TTL
or $ORIGIN directive (Otherwise, the whole zone is skipped because the
error is reset after reading the SOA).
- - Minor bugfixes.
--- End Message ---
--- Begin Message ---
Source: nsd
Source-Version: 2.3.6-1+etch1
We believe that the bug you reported is fixed in the latest version of
nsd, which is due to be installed in the Debian FTP archive:
nsd_2.3.6-1+etch1.diff.gz
to pool/main/n/nsd/nsd_2.3.6-1+etch1.diff.gz
nsd_2.3.6-1+etch1.dsc
to pool/main/n/nsd/nsd_2.3.6-1+etch1.dsc
nsd_2.3.6-1+etch1_i386.deb
to pool/main/n/nsd/nsd_2.3.6-1+etch1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 529...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <th...@debian.org> (supplier of updated nsd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 19 May 2009 16:28:31 +0200
Source: nsd
Binary: nsd
Architecture: source i386
Version: 2.3.6-1+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Ondřej Surý <ond...@debian.org>
Changed-By: Thijs Kinkhorst <th...@debian.org>
Description:
nsd - authoritative name domain server
Closes: 529420
Changes:
nsd (2.3.6-1+etch1) oldstable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix off-by-one error allowing a DoS (VU#710316, closes: #529420).
Files:
cd9d37244bfa45fb346d99c8d2bab5a0 923 net optional nsd_2.3.6-1+etch1.dsc
72428cdacc5bee63b4477becda27bf64 244341 net optional nsd_2.3.6.orig.tar.gz
ceed33911e93f79ddce6a60621685f5a 7539 net optional nsd_2.3.6-1+etch1.diff.gz
d88a2ec27887b12bf4e1a484cea49a8b 152192 net optional nsd_2.3.6-1+etch1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJKEsM6AAoJECIIoQCMVaAcUkoIAIHp3PfikZ8Bnu3u+sAe9WPx
9nAvCZckvwpY9i12kcnpCHv+sCk1/q+1oZUUKkq/a3r2WrvxKT3q1YomY0/EUQY0
OZLkUR0R5LqK35wC0yEwLEDN3GAApvi+mr8F/IRkCQl2nMpNqqUvT8TYREsdUAnm
FcmekZtNphlOwsvDt7yz/nAqVyXevttdWrrK7tA7JsPHY9l9A3L3JMpEMFZPIotT
LNj2SW/lqsRwau9C/M3fDdTCm90YY5flB5WMB/qvPYUVRCguGYrb3h7Xb51UEpmf
E6iZw+EI+iVLiSw/XJ+7v7aU4/mwvVTxL2CF5yu+ACF4m2q6ym/tAL90Qjd24qc=
=rkn4
-----END PGP SIGNATURE-----
--- End Message ---
