As per the attached email, I wonder if you would be interested in point releases for the old versions of maradns to fix #653838 and what the relevant timescales would be.
There is also the question of unarchiving and fixing #584587 in the lenny version whilst we still have the chance.
--- Begin Message ---Hi Nicholas, Op vrijdag 30 december 2011 20:18:16 schreef Nicholas Bamber: > As per this email I am preparing 1.4.08-1 of the maradns package. I am > wondering what your view would be about the old versions of maradns. It > dies not look like a very large patch. Thanks. You should indeed upload 1.4.09 to unstable and set urgency=medium. Talking about updating (old)stable. I've been pondering the issue a while. My preliminary conclusion is that this is an issue worth fixing, because breaking DNS of course breaks an entire network, but especially because MaraDNS advertises itself as a 'security-focused' product specifically. However, in order to exploit it, one needs to allow untrusted users to perform recursive queries. As we all know, allowing the general public to perform recursive queries on your server is considered a security problem to begin with, so we can expect this not to be a very common case. Of course there will be an installation here or there that caters to some internal network on which not everyone is fully trusted, but that seems like a border case to me. So concluding, I would say that this issue is very fit for a stable point update, not a DSA. You should get in contact with the SRM's about this straight away, since a point release for squeeze is around the corner. I would definitely also update Lenny, because (a) upstream has actually released a patch for the version in lenny, and (b) this month is the last chance to do so. Are you available to take care of this? Cheers, Thijssignature.asc
Description: This is a digitally signed message part.
--- End Message ---