CVE-2007-6341 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6341): Net/DNS/RR/A.pm in Net::DNS 0.60 build 654, as used in packages such as SpamAssassin and OTRS, allows remote attackers to cause a denial of service (program "croak") via a crafted DNS response.
Perl, please advise.
Net::DNS 0.61 is already in the tree and marked stable. Spamassassin and OTRS both depends on the most recent version of Net-DNS, and nothing is explicitly tied to the 0.60 release, so there should be no problems ;) however I'll check a bit more and if everything is fine I'll probably drop the 0.60 version from the tree to avoid further problems. Is it fine for the security team ?
The CVE name only states 0.60 affected, but since the bug report is newer than the 0.61 release, I assume the issue is not fixed in 0.61 either. I'll research this after the holidays, or we can inquire with upstream.
Comment on upstream bug: It is fairly clear what happens and there will be a solution, however not in the forthcoming 0.62 release.
according to upstream bug, bug is fixed in 0.63. perl, please bump.
note that redhat does not consider this a security issue. reference https://bugzilla.redhat.com/show_bug.cgi?id=426437
dev-perl/Net-DNS-0.63 is in the tree.
(In reply to comment #7) > dev-perl/Net-DNS-0.63 is in the tree. > thanks. arches, please test and mark stable. target "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 release sh sparc x86"
Sparc stable, all tests good (installed digest-bubblebabble for completeness) except for a couple which are skipped.
mips is ~arch only
Stable for HPPA.
amd64/x86 stable
alpha/ia64 stable
ppc64 stable
ppc stable, ready for GLSA voting.
Fixed in release snapshot.
tend to vote no
no too, and closing