Your message dated Sat, 19 Oct 2019 12:32:40 +0000
with message-id <[email protected]>
and subject line Bug#941692: fixed in unbound 1.9.0-2+deb10u1
has caused the Debian Bug report #941692,
regarding unbound: CVE-2019-16866
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
941692: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941692
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: unbound
Version: 1.9.3-1
Severity: important
Tags: security upstream
Control: found -1 1.9.0-2
Hi,
The following vulnerability was published for unbound.
CVE-2019-16866[0]:
| Unbound before 1.9.4 accesses uninitialized memory, which allows
| remote attackers to trigger a crash via a crafted NOTIFY query. The
| source IP address of the query must match an access-control rule.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-16866
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16866
[1] https://nlnetlabs.nl/downloads/unbound/CVE-2019-16866.txt
Please adjust the affected versions in the BTS as needed. If I checked
correctly, then this issue was really only introduced upstream in
1.7.1, thus not affecting stretch. Please double-check.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: unbound
Source-Version: 1.9.0-2+deb10u1
We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robert Edmonds <[email protected]> (supplier of updated unbound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 12 Oct 2019 20:40:17 -0400
Source: unbound
Architecture: source
Version: 1.9.0-2+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: unbound packagers <[email protected]>
Changed-By: Robert Edmonds <[email protected]>
Closes: 941692
Changes:
unbound (1.9.0-2+deb10u1) buster-security; urgency=high
.
* Apply NLnet Labs patch for CVE-2019-16866 (Closes: #941692)
Checksums-Sha1:
895c729692d72b25b31a5bad852ab7e7fde0734a 3058 unbound_1.9.0-2+deb10u1.dsc
a81e548852ba5cdd355a1f494a37b8a77481ec5b 5662176 unbound_1.9.0.orig.tar.gz
a7fd5848506dc654bc71b0b1985a0eed795c8e03 19116
unbound_1.9.0-2+deb10u1.debian.tar.xz
dcd41ffe48214dba146e5395be32787c7297b049 10961
unbound_1.9.0-2+deb10u1_amd64.buildinfo
Checksums-Sha256:
12ebb258483b64932879f182b488862cd98c7227acb3586dbb6ca310ae72346e 3058
unbound_1.9.0-2+deb10u1.dsc
415af94b8392bc6b2c52e44ac8f17935cc6ddf2cc81edfb47c5be4ad205ab917 5662176
unbound_1.9.0.orig.tar.gz
1a22c4e57585e66389f53191a4d037156f3bf2011a39ce5a51997cb34163cd92 19116
unbound_1.9.0-2+deb10u1.debian.tar.xz
f8acc2df47a15960458b76514593e6c854ae075e43b4edd9701c279eef4bde86 10961
unbound_1.9.0-2+deb10u1_amd64.buildinfo
Files:
53193f7adf4e99731b5f648ecd3e9435 3058 net optional unbound_1.9.0-2+deb10u1.dsc
1026159991a3883518525bc18e25582f 5662176 net optional unbound_1.9.0.orig.tar.gz
bdd3ff21211840b89cc8ac693bdfccd9 19116 net optional
unbound_1.9.0-2+deb10u1.debian.tar.xz
038c0e83d073250b2aadf36ef9d5a9fd 10961 net optional
unbound_1.9.0-2+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE3z2W7rOCeCDzAmZcAYF6sKr2za4FAl2k9NMACgkQAYF6sKr2
za6X8g/+IP7JFXGyBRhECohYo7CnJAm3c7hAl6YsCcJlRzm/YxIKnO+bdjDEk/Hd
JEEcbnUcfOyu+1aW0m+FMFVsu1l7fM2oMBuERm5ZskPa4BcYc0lFrJ9W4sTXAEVU
Eu0E6PlEkPR0AzZJbQSv5McFIae4pxifW6L9pn8ILAokhp+x5TkMlApFChuWUrwM
jIAB+HeBLJYOXrmq0feCCh4TKgppTy0NJ0TIfskOON/4/mV6flO4sVUKwjoW3SXN
l+UHtzkuuT/CQe/h7Jtqtl/5t4KUNTcIa7h+RgQ5wHrHkc1F+dOu+sR/3dzSKPX2
cuUxKlB9vcCZHqIAKa7SRIJ+r07h3Z/rSfNqnkoikCFXmTOMVxja6lXSGSlemczb
FIhzPjqofYhwXBhr079YLXJj6ona/NGairltPxjzJ1+Gg0QUlPeGU+0Rg4ytpOsX
TT9VB12MxWbEySQb/1efgbIOuF0kKoFRBqEW8EPJFkvJVqKdCpw4Zg/5Ya2Uh/+p
yis3NkiOftuardBjUBzzlJAbSuGCP/7biwajQbNyJEgWtvWRAzhkHR+hE2N0a1Ge
zBQ82ls5FL8OwgX2KfQKEdQbx4B5U8SEzvtbh6pDXPFcZ2KjjRvxsAGzzUOR+8uS
9O1VsWCz/1paEJtJ+eWIzwJj5Exhmakej+s6amHx/7uzz9kHnRI=
=A6eE
-----END PGP SIGNATURE-----
--- End Message ---
