Your message dated Fri, 12 Dec 2014 09:37:30 +0000 with message-id <e1xzmfc-0000dz...@franck.debian.org> and subject line Bug#772622: fixed in unbound 1.4.17-3+deb7u2 has caused the Debian Bug report #772622, regarding CVE-2014-8602: denial of service with endless delegations to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 772622: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772622 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: unbound Severity: grave Tags: security Justification: user security hole Hi, as you may already know, a vulnerability in several recursive DNS implementations (bind, pdns-recursor and unbound, maybe others) has been found by a research. For unbound, it has been assigned CVE-2014-8602 and more information can be found on the mailing list post at https://unbound.net/pipermail/unbound-users/2014-December/003662.html It's not crystal clear which versions are currently vulnerable so at first sight I'd say all. Can you prepare updated packages for Wheezy, Jessie/Sid including only the patch linked in the above mail? For Wheezy you need to build with -sa (since it's the first security upload) and target wheezy-security distribution. Then you send us the debdiff so we can have a quick check, and after our ACK you can upload to security-master and we release the DSA. For Jessie, you'll have to make a minimal upload to sid, and ask an unblock to the release team. Don't forget to put the CVE number in the changelog. If you need any help with the above, don't hesitate to contact us. Regards, -- Yves-Alexis Perez Debian security team -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (450, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: unbound Source-Version: 1.4.17-3+deb7u2 We believe that the bug you reported is fixed in the latest version of unbound, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 772...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Robert Edmonds <edmo...@debian.org> (supplier of updated unbound package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 09 Dec 2014 18:34:57 -0500 Source: unbound Binary: unbound unbound-anchor unbound-host libunbound2 libunbound-dev python-unbound Architecture: amd64 source Version: 1.4.17-3+deb7u2 Distribution: wheezy-security Urgency: medium Maintainer: Robert S. Edmonds <edmo...@debian.org> Changed-By: Robert Edmonds <edmo...@debian.org> Closes: 772622 Description: libunbound-dev - static library, header files, and docs for libunbound libunbound2 - library implementing DNS resolution and validation python-unbound - library implementing DNS resolution and validation (Python bindin unbound - validating, recursive, caching DNS resolver unbound-anchor - utility to securely fetch the root DNS trust anchor unbound-host - reimplementation of the 'host' command Changes: unbound (1.4.17-3+deb7u2) wheezy-security; urgency=medium . * Fix CVE-2014-8602: denial of service by making resolver chase endless series of delegations; closes: #772622. Checksums-Sha1: e617fb0ade2fa21c05692e6f434c0f22c59af81e 2299 unbound_1.4.17-3+deb7u2.dsc b05bf69385554dddaa22629327ac647c384c1585 15413 unbound_1.4.17-3+deb7u2.debian.tar.gz bca4248d66065d4c906e94cbc73c0ce03c18a2a3 676630 unbound_1.4.17-3+deb7u2_amd64.deb d31419811533519ec5e01f16f04b111e3cfd4316 92722 unbound-anchor_1.4.17-3+deb7u2_amd64.deb d86e2f4c9d0e3ac7a5941894c51042c5c4e58bba 81086 unbound-host_1.4.17-3+deb7u2_amd64.deb 5e1f6af75500821edc0aba547a52a3acdb70c08a 309792 libunbound2_1.4.17-3+deb7u2_amd64.deb 31967459a5d928c7aa660dbbe67176f1bdf0f8fe 3482478 libunbound-dev_1.4.17-3+deb7u2_amd64.deb 08e60f3154dc1e5985dd202fabf07ebe20136b89 113752 python-unbound_1.4.17-3+deb7u2_amd64.deb fea4d812c03af4737ef671ac30b7b7400d346516 3585122 unbound_1.4.17.orig.tar.gz d4addd58c211ff20d707e52d961befce855cd401 13864 unbound_1.4.17-3+deb7u2.debian.tar.xz Checksums-Sha256: 6fc02e325d59685bcc7ae74e5d42a6b79a89f908620b2e5561695bcec15b3d53 2299 unbound_1.4.17-3+deb7u2.dsc 9513e9cc81abb98acd49e0c155f2d788484571b6d7ad608b60a7eef14ad7c057 15413 unbound_1.4.17-3+deb7u2.debian.tar.gz e12b9bd78bdb2796ac9209e1c1d47d085e348aff515ecc65d9a4710a55a0565e 676630 unbound_1.4.17-3+deb7u2_amd64.deb c06d997b5ee56aa38f7c9ba2d1cc3c029fd2e53efe8da41e8ea96c55493cd549 92722 unbound-anchor_1.4.17-3+deb7u2_amd64.deb 84ad760966151c9bb9b7e6c33803cd5f4e867552706d16477e6a18e31beae427 81086 unbound-host_1.4.17-3+deb7u2_amd64.deb 4147e59dc6a27d1fe36ea8a0917bae1dbf6a8e23a51cebf4e0a5b332fe997620 309792 libunbound2_1.4.17-3+deb7u2_amd64.deb c8f3510052426f3bd29a0721419d645ab1cc2ac02526983dd7b9e57f1212a075 3482478 libunbound-dev_1.4.17-3+deb7u2_amd64.deb d489cb444444eabc285dd257b5ee08c5df64235c578e6ee45180d97b732f48d8 113752 python-unbound_1.4.17-3+deb7u2_amd64.deb 2637d6bda4065d7abf1cd11ee25bfc8e916241153c2d331de99ab6c63df5e3d3 3585122 unbound_1.4.17.orig.tar.gz 2babbef273c77a0b01997d545067ccf92f5f4a7eef3e4738f0cfaefe9f9dd62b 13864 unbound_1.4.17-3+deb7u2.debian.tar.xz Files: c364c67f8ace721ffc6066eaf2175c55 2299 net optional unbound_1.4.17-3+deb7u2.dsc c02d45882e44978ce909ccc4dc60637e 15413 net optional unbound_1.4.17-3+deb7u2.debian.tar.gz 1efa21b572bd19d84dbeb7c170cf7e76 676630 net optional unbound_1.4.17-3+deb7u2_amd64.deb 6bb84d5f71b245d14dc393f10db07282 92722 net optional unbound-anchor_1.4.17-3+deb7u2_amd64.deb 378e8c0ea1625cf15b8d5f13213dfeca 81086 net optional unbound-host_1.4.17-3+deb7u2_amd64.deb b3223d4db22e62f96de93f8a3a18c782 309792 net optional libunbound2_1.4.17-3+deb7u2_amd64.deb 1d983856d7291caaaf6e0e8587be055b 3482478 libdevel optional libunbound-dev_1.4.17-3+deb7u2_amd64.deb 66b381bbac31370eadd5ac15ecbc0182 113752 python optional python-unbound_1.4.17-3+deb7u2_amd64.deb 812d49064a78c92765970a1364736da7 3585122 net optional unbound_1.4.17.orig.tar.gz 507970988622274770c19652ee5d2ca9 13864 net optional unbound_1.4.17-3+deb7u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUiGdOAAoJEAGBerCq9s2utioP/2dVMDZAIRqAIU18xpiMEwYL eCdBJVjkE5JZmEcUZher3HCQcmoAq/ndDHkzvLMBRLMuB02cm04HFNKk0o+9Gst2 ZPXvjuRWD+yzuBe65v0R3+3w85+B9FanpI+mzcs47id1ygVlihcd50IDuMr9fJib rVfyqzMzLeDsY7/035N/53GL3xHijKQkZ4LhZ4da3LJ4lZPLGyoTAtU6Gaegce0y Kpj2cwtVu0xNR7u/ObtXndvz/vMkHvvbIM2IslYS8hAEPFqEs76gzgX0b7O8Brab 8P6qXZ4cb3vBMMvDovAQBRB1sxso1XHGLz731VJQ8vvqQ9LGYXjJHaTMk9LeRSvv gkH5Q+UT4yjwHTt5a1O8eEuysKm47TDQ1o8snIS0NJYFSCsKdfZSdDfFubDwVIaO U5k/cHb4oNxBO5HydAHcUYqBIT/R2LaY9tb5wYntuUCYAc17j5zdS3e6V4h0/OhV FUQDfPjdBJftK+xhl3rxBc90OLSzOVGLvdiQSBjm15uneLuryUuOt0rWW2QQofb3 2SApWODSsORsblqUNSoTTHqTQHfErat+2oSmu02mZs24g77cnRrl4kbbWhvIRPiY mmZs4tM4xD3oVPCrB2CZS113Xhkg7z1SfhwJ0OMDKJRaP6Q+gVCFxhqSckd8HtmG xVMexQzq0S8Ak/ApuWl6 =FSer -----END PGP SIGNATURE-----
--- End Message ---
