Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 203074 (CVE-2007-6341) - dev-perl/Net-DNS < 0.63 "croak" assertion DNS response DoS (CVE-2007-6341)
Summary: dev-perl/Net-DNS < 0.63 "croak" assertion DNS response DoS (CVE-2007-6341)
Status: RESOLVED FIXED
Alias: CVE-2007-6341
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://rt.cpan.org/Public/Bug/Displa...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-22 21:13 UTC by Robert Buchholz (RETIRED)
Modified: 2011-10-20 04:59 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 21:13:55 UTC
CVE-2007-6341 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6341):
  Net/DNS/RR/A.pm in Net::DNS 0.60 build 654, as used in packages such as
  SpamAssassin and OTRS, allows remote attackers to cause a denial of service
  (program "croak") via a crafted DNS response.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-12-22 21:18:36 UTC
Perl, please advise.
Comment 2 Antoine Raillon (RETIRED) gentoo-dev 2007-12-23 13:23:00 UTC
Net::DNS 0.61 is already in the tree and marked stable.

Spamassassin and OTRS both depends on the most recent version of Net-DNS, and nothing is explicitly tied to the 0.60 release, so there should be no problems ;)

however I'll check a bit more and if everything is fine I'll probably drop the 0.60 version from the tree to avoid further problems.

Is it fine for the security team ?
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-12-23 17:20:21 UTC
The CVE name only states 0.60 affected, but since the bug report is newer than the 0.61 release, I assume the issue is not fixed in 0.61 either.

I'll research this after the holidays, or we can inquire with upstream.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-01-06 18:34:15 UTC
Comment on upstream bug:

It is fairly clear what happens and there will be a solution, however not in the forthcoming 0.62 release.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-07 22:52:42 UTC
according to upstream bug, bug is fixed in 0.63. perl, please bump.
Comment 6 Jonathan Smith (RETIRED) gentoo-dev 2008-03-08 23:49:17 UTC
note that redhat does not consider this a security issue. reference https://bugzilla.redhat.com/show_bug.cgi?id=426437
Comment 7 Torsten Veller (RETIRED) gentoo-dev 2008-04-23 10:02:54 UTC
dev-perl/Net-DNS-0.63 is in the tree.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-04-23 10:43:19 UTC
(In reply to comment #7)
> dev-perl/Net-DNS-0.63 is in the tree.
> 
thanks. arches, please test and mark stable.

target "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 release sh sparc x86"

Comment 9 Ferris McCormick (RETIRED) gentoo-dev 2008-04-23 12:51:10 UTC
Sparc stable, all tests good (installed digest-bubblebabble for completeness) except for a couple which are skipped.
Comment 10 Ricardo Mendoza (RETIRED) gentoo-dev 2008-04-23 14:55:14 UTC
mips is ~arch only
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2008-04-23 15:04:52 UTC
Stable for HPPA.
Comment 12 Markus Meier gentoo-dev 2008-04-23 21:16:41 UTC
amd64/x86 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2008-04-24 09:07:02 UTC
alpha/ia64 stable
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2008-04-24 17:23:52 UTC
ppc64 stable
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2008-04-24 19:06:40 UTC
ppc stable, ready for GLSA voting.
Comment 16 Peter Volkov (RETIRED) gentoo-dev 2008-04-26 09:31:49 UTC
Fixed in release snapshot.
Comment 17 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-29 13:18:20 UTC
tend to vote no
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-05 21:23:04 UTC
no too, and closing