Yves-Alexis Perez wrote: > Hi, > > as you may already know, a vulnerability in several recursive DNS > implementations (bind, pdns-recursor and unbound, maybe others) has been > found by a research. > > For unbound, it has been assigned CVE-2014-8602 and more information can > be found on the mailing list post at > https://unbound.net/pipermail/unbound-users/2014-December/003662.html > > It's not crystal clear which versions are currently vulnerable so at > first sight I'd say all. Can you prepare updated packages for Wheezy, > Jessie/Sid including only the patch linked in the above mail? > > For Wheezy you need to build with -sa (since it's the first security > upload) and target wheezy-security distribution. Then you send us the > debdiff so we can have a quick check, and after our ACK you can upload > to security-master and we release the DSA. > > For Jessie, you'll have to make a minimal upload to sid, and ask an > unblock to the release team. > > Don't forget to put the CVE number in the changelog. > > If you need any help with the above, don't hesitate to contact us.
AFAIK, all versions prior to 1.5.1 are affected. I'll work on backporting the fix to the versions in wheezy and jessie/sid. Thanks! -- Robert Edmonds edmo...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
