On Sunday 01 March 2009, Florian Weimer wrote: > tinydns from djbdns version 1.05 and earlier incorrectly implements > DNS label compression, allowing malicious zone editors to inject > poisonous records into the additional section.
There is a (very simple!) patch on $URL. Do we have any reason not to apply it? DJB reviewed it: http://article.gmane.org/gmane.network.djbdns/13864
CVE-2009-0858 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0858): The response_addname function in response.c in Daniel J. Bernstein djbdns 1.05 and earlier does not constrain offsets in the required manner, which allows remote attackers, with control over a third-party subdomain served by tinydns and axfrdns, to trigger DNS responses containing arbitrary records via crafted zone data for this subdomain.
Hello, add patch?
gengor, please feel free to do a revision bump and apply this patch under the authority of the security team.
CVE-2009-0858 is fixed in =net-dns/djbdns-1.05-r23. During bumping I noticed in the case of USE="ipv6" the patches for bug #260014 were only being applied to the noipv6 workdir used for building dnstrace. I've ported the CVE-2008-4392 to the ipv6-patched version and ensured both workdirs get patched. Hopefully my ported patches don't suck. Arches, please test and mark stable: =net-dns/djbdns-1.05-r23 Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
ppc and ppc64 done
amd64/x86 stable
Stable on alpha.
sparc stable
Stable for HPPA.
(In reply to comment #10) > Stable for HPPA. > That's everyone, though mips is still stuck on =net-dns/djbdns-1.05-r17 for stable. =net-dns/djbdns-1.05-r22 can be removed, leaving that for killerfox when he gets back.
Ready for vote, I vote YES.
Yes, too, request filed.
Could also be closed, all affected versions are gone from the tree.
This issue has been fixed since Mar 23, 2009. No GLSA will be issued.
