Source: unbound Severity: grave Tags: security Justification: user security hole
Hi, as you may already know, a vulnerability in several recursive DNS implementations (bind, pdns-recursor and unbound, maybe others) has been found by a research. For unbound, it has been assigned CVE-2014-8602 and more information can be found on the mailing list post at https://unbound.net/pipermail/unbound-users/2014-December/003662.html It's not crystal clear which versions are currently vulnerable so at first sight I'd say all. Can you prepare updated packages for Wheezy, Jessie/Sid including only the patch linked in the above mail? For Wheezy you need to build with -sa (since it's the first security upload) and target wheezy-security distribution. Then you send us the debdiff so we can have a quick check, and after our ACK you can upload to security-master and we release the DSA. For Jessie, you'll have to make a minimal upload to sid, and ask an unblock to the release team. Don't forget to put the CVE number in the changelog. If you need any help with the above, don't hesitate to contact us. Regards, -- Yves-Alexis Perez Debian security team -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (450, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
