Hi Peter, On Mon, Jul 27, 2020 at 05:20:23PM +0300, Peter Pentchev wrote: > Now... related to that. I am not sure whether Moritz Muehlenhoff, when > reopening this bug, was aware of the fact that Dmitry Bogatov included > two patches from Jeff King that address the cache poisoning attack - > and actually, the patches were mentioned in this bug log by Matija Nalis > back in 2010. Moritz, is it possible that you had missed the inclusion > of these two patches, or do you believe that they, by themselves, are > still not enough to address this problem? If so, that would indeed be > kind of unfortunate, since it is my impression that these particular > patches are considered the best way to handle this among users of > Prof. Bernstein's software.
I only reopened the bug since there was a discussion on debian-devel about the fact that bugs in removed-and-then-reintroduced packages don't get automatically reopened and remembered that long-standing bug. The changelog made by Dmitry Bogatov doesn't mention it either. If that specific bug is believed to be fixed by these two patches, then I trust you on that. So feel free to mark the bug as closed in 1:1.05-10, then. The fact that djbdns has no active upstream is a different concern, though, especially in the wake of the whole qmail disaster. Following it, Georgi Guninski raised a few issues on oss-security e.g. (https://www.openwall.com/lists/oss-security/2020/06/01/1) and without an active upstream noone ever addressed or investigated them. Cheers, Moritz
