* Florian Weimer: > * Luk Claes: > >> Gerrit Pape wrote: >>> On Thu, Oct 01, 2009 at 10:28:35PM +0200, Luk Claes wrote: >>>> Any reason why there was no upload for this security issue to unstable yet? >>> >>> Hi, I made my position as the maintainer of the package clear in >>> >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516394#36 >>> >>> and some private discussions with the security team. In my opinion the >>> issue is fixed sufficiently in unstable and testing, and the same >>> changes should go into stable. I offered to prepare the packages, but >>> the security team declined >> >> It seems that the security team does not agree that the bug is >> sufficiently fixed or do they (in Cc)? > > djbdns should not be part of squeeze until it is properly hardened > against cache poisoning. It is between 100 and 200 times easier than > with other DNS servers. > > This hasn't got to do much with bug 516394, though.
Correction: It is relaated to 516394. Specifically, all publicly available information suggests dnscache (with the alleged fixes applied) can be poisoned with in 40 minutes or so on Fast Ethernet, while other implementations withstand an attack on Gigabit Ethernet for half a day. The SOA cache bypass is not essential, so patching it away does not really address the issue. It is possible to force cache misses by cycling QTYPEs or QNAMEs, too. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
