Dear Security Team,

CVE-2008-4392 has "Candidate" status and is being reviewed for almost
three years now, and still must accepted by the CVE Editorial
Board[0].

Why, after so many years, Debian Security Team, after a clear
statement from prof. Bernstain[1], without confirmation of this rumour
from CVE Editorial Board, still blocks djbdns software from the
society?

Attackers with an access to the network are able to forge DNS
responses, and if we treat is as a bug, we must remove all DNS cache
software from Debian ASAP.

Thanks,
Serge

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4392
[1] http://cr.yp.to/djbdns/forgery.html



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to