Summary: | dev-perl/Net-DNS < 0.63 "croak" assertion DNS response DoS (CVE-2007-6341) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | fmccor, ismail, lkundrak, perl |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://rt.cpan.org/Public/Bug/Display.html?id=30316 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2007-12-22 21:13:55 UTC
Perl, please advise. Net::DNS 0.61 is already in the tree and marked stable. Spamassassin and OTRS both depends on the most recent version of Net-DNS, and nothing is explicitly tied to the 0.60 release, so there should be no problems ;) however I'll check a bit more and if everything is fine I'll probably drop the 0.60 version from the tree to avoid further problems. Is it fine for the security team ? The CVE name only states 0.60 affected, but since the bug report is newer than the 0.61 release, I assume the issue is not fixed in 0.61 either. I'll research this after the holidays, or we can inquire with upstream. Comment on upstream bug: It is fairly clear what happens and there will be a solution, however not in the forthcoming 0.62 release. according to upstream bug, bug is fixed in 0.63. perl, please bump. note that redhat does not consider this a security issue. reference https://bugzilla.redhat.com/show_bug.cgi?id=426437 dev-perl/Net-DNS-0.63 is in the tree. (In reply to comment #7) > dev-perl/Net-DNS-0.63 is in the tree. > thanks. arches, please test and mark stable. target "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 release sh sparc x86" Sparc stable, all tests good (installed digest-bubblebabble for completeness) except for a couple which are skipped. mips is ~arch only Stable for HPPA. amd64/x86 stable alpha/ia64 stable ppc64 stable ppc stable, ready for GLSA voting. Fixed in release snapshot. tend to vote no no too, and closing |