Your message dated Sun, 19 Jan 2025 20:35:49 +0000
with message-id <e1tzc1n-00cbak...@fasolo.debian.org>
and subject line Bug#1077751: fixed in dnsjava 3.6.2-1
has caused the Debian Bug report #1077751,
regarding dnsjava: CVE-2023-50868
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1077751: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077751
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: dnsjava
Version: 2.1.8-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for dnsjava.
CVE-2023-50868[0]:
| The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155
| when RFC 9276 guidance is skipped) allows remote attackers to cause
| a denial of service (CPU consumption for SHA-1 computations) via
| DNSSEC responses in a random subdomain attack, aka the "NSEC3"
| issue. The RFC 5155 specification implies that an algorithm must
| perform thousands of iterations of a hash function in certain
| situations.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-50868
https://www.cve.org/CVERecord?id=CVE-2023-50868
[1] https://github.com/advisories/GHSA-mmwx-rj87-vfgr
[2]
https://github.com/dnsjava/dnsjava/commit/711af79be3214f52daa5c846b95766dc0a075116
(v3.6.0)
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: dnsjava
Source-Version: 3.6.2-1
Done: Andreas Tille <ti...@debian.org>
We believe that the bug you reported is fixed in the latest version of
dnsjava, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1077...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Tille <ti...@debian.org> (supplier of updated dnsjava package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 19 Jan 2025 20:38:23 +0100
Source: dnsjava
Architecture: source
Version: 3.6.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Andreas Tille <ti...@debian.org>
Closes: 1077368 1077750 1077751
Changes:
dnsjava (3.6.2-1) unstable; urgency=medium
.
* Team upload.
* New upstream version
Closes: #1077368 (CVE-2024-25638)
Closes: #1077750 (CVE-2023-50387)
Closes: #1077751 (CVE-2023-50868)
* Fix watch file
* Standards-Version: 4.7.0 (routine-update)
* debhelper-compat 13 (routine-update)
* Reorder sequence of d/control fields by cme (routine-update)
* d/copyright: review (thanks to lrc)
Checksums-Sha1:
dc19d72451efb5ab3d6033701b496002bc90a25b 2086 dnsjava_3.6.2-1.dsc
091d1aead3cca531526ffcdf67147d16ba377838 4757197 dnsjava_3.6.2.orig.tar.gz
e1042c640f6455c889975007461ac8879a9c7833 6636 dnsjava_3.6.2-1.debian.tar.xz
2b4b11c977992bcdd06505f738293b3b6d1d71e1 15188 dnsjava_3.6.2-1_amd64.buildinfo
Checksums-Sha256:
d3cc50bbb5f3b4a703b33dcd47c9eff2347d7cb0720674f75b7b5ef1fd2449d6 2086
dnsjava_3.6.2-1.dsc
3eb0e69c8820825fe93e7cdc819b26c9a065cbc847cbe38828c9c0fd68d539fa 4757197
dnsjava_3.6.2.orig.tar.gz
64384a90fe9bc537d6073b95e2e466511028e655c4be0bccee17a23ec8049b28 6636
dnsjava_3.6.2-1.debian.tar.xz
5f5e967ad7f4306226cd056686f133d2b2601214e4c8d06ab54af6ea8eaaa619 15188
dnsjava_3.6.2-1_amd64.buildinfo
Files:
0cd0481d231605f46ee9c07f5d3be0c4 2086 java optional dnsjava_3.6.2-1.dsc
139ff32fa58a0f9c0bba77c8289a3765 4757197 java optional
dnsjava_3.6.2.orig.tar.gz
74a475c6d3d30a080d661c89c50ab361 6636 java optional
dnsjava_3.6.2-1.debian.tar.xz
80d22f70472824f10fc38b2234091556 15188 java optional
dnsjava_3.6.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmeNVv4RHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtGpWA/+MMRPArWGX9c4Vd1A7ESAjlXBUbjDosLC
tc6Ag37JQftxy0Mb9nHiJMe4aZ/AeEBQrxvWzAodUL+OqI5xxlzNUV7vyVIwdeVP
Ueqysuj2BXcD1/9TgAbVtJ7KFJaY9+XyhnIloEclujEdzfMe8CjNWjx572cIecOy
aPa8OcD/6WBnNdKtff+Bs/R/mBOuzkCrXq9ZEesHRg+/SfftASwHKwG/JS3oTXmb
daO3IINCUnmrA5LduS5GELqMHiCInr6K8Cp0z/ZM/y7LqrQeyLjTZBZ4QN76nskY
XpVizi1d2wkjPaS+SMSjDpH8sg8hQVWIE/6pc9Fm2FlIg2ZL1XHvNQZPydCN2Lwn
1mVCmW/8PsPSbB7K3JIKOc9UtDZUXfMsCIRpAKnd9rGYmHsqxaTnHLl3bCvxtkvd
pIFW2eMLw7g5m8Kxj95hU/m1X1xjUdu5BLsKSsrztn1fiK8CCpXBBzA9uZGSuBxW
rLTXLOuti7CJOrZ/Yf24w0k/7+4cFovaSl74/l4he9QiiZpuioWPfJlgFBogCZCb
GDZGjAg1o07CWkFMsY7QDAgPnDCEc58qnB1/1rovT0HzhEwddgHg22u29+yHcxEf
pnxt9zYDWbwr8bGSnrq8EGHovnylHy6TMGORO/QNzMfLTU5hKZrwt07dtCBYCRYW
KRqadR+lVn0=
=OGHD
-----END PGP SIGNATURE-----
pgpB1FiONh2sF.pgp
Description: PGP signature
--- End Message ---
