Your message dated Sat, 27 Jun 2009 16:04:42 +0000
with message-id <e1mkaoq-00016w...@ries.debian.org>
and subject line Bug#529418: fixed in nsd3 3.0.7-3.lenny2
has caused the Debian Bug report #529418,
regarding Critical off-by-one error in NSD3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
529418: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529418
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: nsd3
Version: 3.0.7-3.lenny1
Severity: grave
Tags: security
Dear NSD users and maintainers,
We have released version 3.2.2. of NSD. This is *critical* bugfix
release. One of the bugs is a one-byte buffer overflow that allows a
carefully crafted exploit to take down your name-server. It is highly
unlikely that the one-byte-off issue can lead to other (system) exploits.
The bug affects all version of NSD 2.0.0 to 3.2.1. Whether the bug can
be exploited to depends on various aspects of the OS and is therefore
distribution and compiler dependent.
For more information:
http://www.nlnetlabs.nl/publications/NSD_vulnerability_announcement.html
We strongly recommend you to update your systems to the latest version.
If you have reasons for not running the latest version of NSD, we
strongly advise you to at least apply the patch that resolves the
critical bug.
The source and patches are available at our website:
http://www.nlnetlabs.nl/downloads/nsd/nsd-3.2.2.tar.gz
http://www.nlnetlabs.nl/downloads/nsd/nsd-3.2.1-vuln.patch
http://www.nlnetlabs.nl/downloads/nsd/nsd-2.3.7-vuln.patch
SHA1 checksum (source): 23fc0be5d447ea852acd49f64743c96403a091fa
SHA1 checksum (patch 3.2.1): 20cb9fc73fae951a9cc25822c48b17ca1d956119
SHA1 checksum (patch 2.3.7): 94887d212621b458a86ad5b086eec9240477
Note that NSD 2.X is feature frozen and security patches may not be made
available in future events.
We acknowledge and thank Ilja von Sprundel of IOActive for finding and
reporting this bug.
Matthijs Mekking
NLnet Labs
RELNOTES:
BUG FIXES:
- - Off-by-one buffer overflow fix while processing the QUESTION section.
- - Return BADVERS when NSD does not implement the VERSION level of the
request, instead of 0x1<FORMERR>.
- - Bugfix #234.
- - Bugfix #235.
- - Reset 'error occurred' after notifying an error occurred at the $TTL
or $ORIGIN directive (Otherwise, the whole zone is skipped because the
error is reset after reading the SOA).
- - Minor bugfixes.
--
Ondřej Surý <ond...@sury.org>
http://blog.rfc1925.org/
--- End Message ---
--- Begin Message ---
Source: nsd3
Source-Version: 3.0.7-3.lenny2
We believe that the bug you reported is fixed in the latest version of
nsd3, which is due to be installed in the Debian FTP archive:
nsd3_3.0.7-3.lenny2.diff.gz
to pool/main/n/nsd3/nsd3_3.0.7-3.lenny2.diff.gz
nsd3_3.0.7-3.lenny2.dsc
to pool/main/n/nsd3/nsd3_3.0.7-3.lenny2.dsc
nsd3_3.0.7-3.lenny2_i386.deb
to pool/main/n/nsd3/nsd3_3.0.7-3.lenny2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 529...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <th...@debian.org> (supplier of updated nsd3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 19 May 2009 16:11:11 +0200
Source: nsd3
Binary: nsd3
Architecture: source i386
Version: 3.0.7-3.lenny2
Distribution: stable-security
Urgency: high
Maintainer: Pierre Habouzit <madco...@debian.org>
Changed-By: Thijs Kinkhorst <th...@debian.org>
Description:
nsd3 - authoritative domain name server (3.x series)
Closes: 529418
Changes:
nsd3 (3.0.7-3.lenny2) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix off-by-one error allowing a DoS (VU#710316, closes: #529418).
Checksums-Sha1:
ad55977d0d506ba4213ceef654c4aebec1d1b7da 1411 nsd3_3.0.7-3.lenny2.dsc
c4038c017e270a4b0012dcaf47c67593f34ddde8 818770 nsd3_3.0.7.orig.tar.gz
a007e847381d13bbec94850666d13176f21a42a4 7042 nsd3_3.0.7-3.lenny2.diff.gz
e2fc7f6197226f5af1572b33e4a7259a26c67be4 818688 nsd3_3.0.7-3.lenny2_i386.deb
Checksums-Sha256:
d53225aca1b716745297dc3ad13f1c4fe00e35a6c7b9e3773b503a6c4aca507f 1411
nsd3_3.0.7-3.lenny2.dsc
73c54aeaf8b302624dca7c570cc0c29b1610ef90b1b2159cb63b01044fdf6bd4 818770
nsd3_3.0.7.orig.tar.gz
c1f4cdb72de5c8e82e20ee6025a0d15a65a4238c7836274cd443b14db408d2ec 7042
nsd3_3.0.7-3.lenny2.diff.gz
a447c63436b843e162d5f9cfdd8ef0808702484936220f5460fccde2dda2dd8f 818688
nsd3_3.0.7-3.lenny2_i386.deb
Files:
8730419f9ee96a1a77ec3ae273f838ce 1411 net extra nsd3_3.0.7-3.lenny2.dsc
37558edef2fe9d9052aafeb73effd4ac 818770 net extra nsd3_3.0.7.orig.tar.gz
49dcc53aac9ce7f2e7c06c8a96f3bf1a 7042 net extra nsd3_3.0.7-3.lenny2.diff.gz
de76aca5b0faa113e92387913eccfa7b 818688 net extra nsd3_3.0.7-3.lenny2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJKEsATAAoJECIIoQCMVaAc/H8H/3KxIYkxUK23cdRsq9V7bFh0
tDykHD7dA92pw87lp1jSrfb7k8MgeK1X0jwFRqa7ALPn8hgpaUjJNffAm24cxGIi
Vn4pnQpwoz05Rc/mewXKfJsNUZax4Qs6bfL5T2khfQnEZMk/hY+PrVezObFvewoZ
+guA/QhH2aV3gHFv8pzQPU/Q9IJwAH2bOddsyg4uxgB3HYWsIcPh2YkJl2+UmbAl
MwOhf/Ypbkzew6YXMDsRO/u/pr+2wENuLnVO5ruPxg1BP+1NwTG2ASQ6teGHbgjP
tBBZzd8LQlJi5Qz2tpPxQuWMFIhSvhZ+wgc5sxd+RqcjInMIcnKhoeH2wdQCxuw=
=a0vf
-----END PGP SIGNATURE-----
--- End Message ---
