Dear Sergiusz,
it seems my reply to your private email didn't convince you, so replying again on behalf of the Security Team. > Dear Security Team, > > CVE-2008-4392 has "Candidate" status and is being reviewed for almost > three years now, and still must accepted by the CVE Editorial > Board[0]. This is unimportant, there are a lot of of CVEs under review, this doesn't mean they are invalid > > Why, after so many years, Debian Security Team, after a clear > statement from prof. Bernstain[1], without confirmation of this rumour > from CVE Editorial Board, still blocks djbdns software from the > society? Thijs already wrote we are waiting a patch. All resolver in the Debian archive are properly hardened against cache poisoning, I really don't understand why djbdns should be an exception. > Attackers with an access to the network are able to forge DNS > responses, and if we treat is as a bug, we must remove all DNS cache > software from Debian ASAP. If you are privy to a way to poison other resolver in the Debian archive, please open a bug and we will be happy to discuss the impact. Cheers, Giuseppe.
signature.asc
Description: OpenPGP digital signature