Source: knot-resolver Version: 3.2.1-3 Severity: grave Tags: security upstream
Hi, The following vulnerabilities were published for knot-resolver. CVE-2019-10190[0]: do not pass bogus negative answer to client CVE-2019-10191[1]: do not cache negative answer with forged QNAME+QTYPE [2] contains minimal patches. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-10190 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10190 [1] https://security-tracker.debian.org/tracker/CVE-2019-10191 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10191 [2] https://www.openwall.com/lists/oss-security/2019/07/14/1 I'm not entirely sure on needing of DSA or no-dsa. But I want to raise a question, don't get me wrong though. Upstream say that basically they do not recommend to cherry-pick fixes and to just update to 4.1.0 in this case. Is knot-resolver in a state that we can support it for buster? Back for stretch we were forced to drop knot-resolver in a point release, so I wonder if we are actually for buster in a better position. The last mail exchange with Moritz back in november 2018 suggests that it should be more feasible now though. Any thoughts from your side? Regards, Salvatore
