Bug#772622: marked as done (CVE-2014-8602: denial of service with endless delegations)

[Debian Bug Tracking System]

Your message dated Tue, 09 Dec 2014 23:24:39 +0000
with message-id <e1xyu91-0007zr...@franck.debian.org>
and subject line Bug#772622: fixed in unbound 1.4.22-3
has caused the Debian Bug report #772622,
regarding CVE-2014-8602: denial of service with endless delegations
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
772622: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772622
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: unbound
Severity: grave
Tags: security
Justification: user security hole

Hi,

as you may already know, a vulnerability in several recursive DNS
implementations (bind, pdns-recursor and unbound, maybe others) has been
found by a research.

For unbound, it has been assigned CVE-2014-8602 and more information can
be found on the mailing list post at
https://unbound.net/pipermail/unbound-users/2014-December/003662.html

It's not crystal clear which versions are currently vulnerable so at
first sight I'd say all. Can you prepare updated packages for Wheezy,
Jessie/Sid including only the patch linked in the above mail?

For Wheezy you need to build with -sa (since it's the first security
upload) and target wheezy-security distribution. Then you send us the
debdiff so we can have a quick check, and after our ACK you can upload
to security-master and we release the DSA.

For Jessie, you'll have to make a minimal upload to sid, and ask an
unblock to the release team.

Don't forget to put the CVE number in the changelog.

If you need any help with the above, don't hesitate to contact us.

Regards,
-- 
Yves-Alexis Perez
Debian security team

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (450, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

Source: unbound
Source-Version: 1.4.22-3

We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert Edmonds <edmo...@debian.org> (supplier of updated unbound package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 09 Dec 2014 17:52:08 -0500
Source: unbound
Binary: unbound unbound-anchor unbound-host libunbound2 libunbound-dev 
python-unbound
Architecture: amd64 source
Version: 1.4.22-3
Distribution: unstable
Urgency: medium
Maintainer: Robert S. Edmonds <edmo...@debian.org>
Changed-By: Robert Edmonds <edmo...@debian.org>
Closes: 772622
Description: 
 libunbound-dev - static library, header files, and docs for libunbound
 libunbound2 - library implementing DNS resolution and validation
 python-unbound - library implementing DNS resolution and validation (Python 
bindin
 unbound    - validating, recursive, caching DNS resolver
 unbound-anchor - utility to securely fetch the root DNS trust anchor
 unbound-host - reimplementation of the 'host' command
Changes:
 unbound (1.4.22-3) unstable; urgency=medium
 .
   * Fix CVE-2014-8602: denial of service by making resolver chase endless
     series of delegations; closes: #772622.
Checksums-Sha1: 
 42653c3ea0c5e1775148236039775495910824e6 2277 unbound_1.4.22-3.dsc
 3a637c813988cca7730df3cfe041a08abebe800d 13432 unbound_1.4.22-3.debian.tar.xz
 a110708edcfce2540beae282d1bfeeb823395999 485648 unbound_1.4.22-3_amd64.deb
 46132644e7b0c2fc61e0569468f345f36f907c74 97740 
unbound-anchor_1.4.22-3_amd64.deb
 8a5645549932ff245aede1342a93801b9e11af1b 99506 unbound-host_1.4.22-3_amd64.deb
 4266f7f9fab130efb9b9c1e1e4181b93be038cf5 300418 libunbound2_1.4.22-3_amd64.deb
 b10e597ac2af99f3875a125119855a6b2aa4bc7b 4692058 
libunbound-dev_1.4.22-3_amd64.deb
 1d69b9686a72dd2b30ab783dd35fe8ca290b41bd 110450 
python-unbound_1.4.22-3_amd64.deb
Checksums-Sha256: 
 ee9bf434705f13663528595fec79c0ec5b4d00cb89548ba872d7f1340fdd06e9 2277 
unbound_1.4.22-3.dsc
 af46d8847ea08b39130d5fb59f06a07161d0802b08a2b8aff11957580a9fc180 13432 
unbound_1.4.22-3.debian.tar.xz
 831a9dc5619b3944c061b0ba5d86a739abb14f5a76cc2d1b35c565a61eb801d2 485648 
unbound_1.4.22-3_amd64.deb
 cc01b16d977414e2217cc53c7d3f4041c1a6bd09bc7daf70b49e764c94d7ee19 97740 
unbound-anchor_1.4.22-3_amd64.deb
 5d0d3e89728700cb74b12632ed2563ca414bd25317dc601ea8fa743324c22704 99506 
unbound-host_1.4.22-3_amd64.deb
 3c95d9e97eecb6e181e4a47fcc76021378b72f8a2bc8693ff3ac00230512c9c9 300418 
libunbound2_1.4.22-3_amd64.deb
 9b64c226e8d083f349d708b7348f91ea46c46312c99c64a361f4ed6655f62f23 4692058 
libunbound-dev_1.4.22-3_amd64.deb
 8b17c6b95eed222b1ff3d952ebcf402b9571036e8cd98dc89a15f727e729e513 110450 
python-unbound_1.4.22-3_amd64.deb
Files: 
 37867b44357630ab9b5bfa5e119382ec 2277 net optional unbound_1.4.22-3.dsc
 346a45a93358408669d9c96c006c6df1 13432 net optional 
unbound_1.4.22-3.debian.tar.xz
 06fbbd1ac2df382c40eff8e9ba08b2c7 485648 net optional unbound_1.4.22-3_amd64.deb
 d9bec708c50d9caed60e84e65f6ce04d 97740 net optional 
unbound-anchor_1.4.22-3_amd64.deb
 083449e560376027d33b00293f309b6b 99506 net optional 
unbound-host_1.4.22-3_amd64.deb
 a4d8605a7f1486f037318511ee5c451d 300418 libs optional 
libunbound2_1.4.22-3_amd64.deb
 c8d77293f4be50fb66996ca51d36d086 4692058 libdevel optional 
libunbound-dev_1.4.22-3_amd64.deb
 78b4d1c537a1f5bf37211c6e0336b4e8 110450 python optional 
python-unbound_1.4.22-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUh4B5AAoJEAGBerCq9s2uS+8P/2Wgz9IvUzZ9t+5y2pJXqeBd
ujLJ5XnnmoO9kGh1O1xj73LQGCDdosatFDt+4CHOjeth9b6nR80Vu0E4zlW5uLmk
vFUurzMIhQQ8XFIWHWXzPHsK2A2jAUBKg9KMPnX18UWyY64hzNxAaD06Y/wF+d+u
dBmFAdt3XNmZWlJX6Z/+XXi+0lxUb8Nsv0nzHQM6p5Y5zWEpujydv2arQiuo4lTN
UIi5zHJtwuqQ00wkFYtyHUHwTI0T9GOCkxeSvXhwUuinNzsrpvMXBKYTq4F6x7lL
ZQbhOAf8DWVwo+hbtqZu9f3o+oa2XmAMsv1xLdbXfpRceWK97fvWeb25T2ysa+a/
IjPHOwetCEtEp3v8m8YWxtwUZ99Ahjvo9dyyqGZDhiLydtq17cqUbGkn3dCgd38v
txq4xUrw2RwUPCtgd6YrW6cX01qaJFpICh4sH+MQxpybWNdFK9wWvyavEYYVKSzk
lNBh9rsnvjEbHTk/jnaNBe6FSiVzyv1sSbKzPY0M6+0zashXaOxA4UKOEonzDuq5
tAXmwC0/zlIqkqN0r1WunYx+5/n4TweufDAKCO2U02fGD2vhemYeh8PKsGokEurc
ipDzvPkBLO2WtxwEvUWHmJEpHM6Os7VaVM80ulHU+g++mrU3y6ivC8oDaurf7zsL
ZvKX1LpYWndiWzbs89aT
=EcIY
-----END PGP SIGNATURE-----

--- End Message ---