Hi Enrico, On Mon, Jun 06, 2022 at 11:53:59AM +0200, Enrico Zini wrote: > Hello, > > last month as part of Freexian onboarding I tried to work on pdns: > https://security-tracker.debian.org/tracker/source-package/pdns > > I backported patches for CVE-2020-17482 and CVE-2019-10203 > to https://salsa.debian.org/enrico/pdns/-/tree/stretch > > For CVE-2022-27227, available patches touch code that mostly didn't > exist in 4.0.3, and zeha commented on IRC: > > > do you have actual users on 4.0.x which are -actually- affected by the > > IXFR things? i think if one uses 4.0.x to run a domain on the public > > internet, you'll have other problems > > It looks like a case for tagging as no-dsa: would you agree?
FWIW, for the regular security supported suites we in fact marked CVE-2022-27227 already as no-dsa. Unauthoritative answer here, but I guess I would do the same for pdns in stretch. Regards, Salvatore