Hey - Upstream Designate maintainer here.
Icehouse - aka 2014.1 - is partially affected by CVE-2015-5695, failure
to enforce recordset quotas.
This was the less severe of the two CVEs, which we treated as a feature
not implemented rather than a security issue initially. Additionally,
the issue could only be exploited through the disabled by default +
marked experimental V2 API.
Regardless - The patch at [1] should be easy enough to re-work for Icehouse.
Thanks,
Kiall
[1]: https://launchpadlibrarian.net/211525408/bug-1471161-quotas-kilo.patch
On 19/08/15 09:11, Moritz Muehlenhoff wrote:
Source: designate
Severity: grave
Tags: security
Hi,
please see the thread starting here:
https://marc.info/?l=oss-security&m=143810184926097&w=2
Can you please check with upstream whether 2014.1 from jessie
is affected, if so we should fix it.
Cheers,
Moritz
