Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 261204 - <mail-filter/dkim-milter-2.8.1 DNS public key DoS (CVE-2009-0770)
Summary: <mail-filter/dkim-milter-2.8.1 DNS public key DoS (CVE-2009-0770)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://sourceforge.net/tracker/index....
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-04 18:26 UTC by Robert Buchholz (RETIRED)
Modified: 2009-03-06 09:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-03-04 18:26:45 UTC 
On Sunday 01 March 2009, Steffen Joeris wrote:
> dkim-milter suffers is prone to a DoS attack via crafted or revoked
> public key record in DNS.
...
> http://sourceforge.net/tracker/index.php?func=detail&aid=2508602&grou
>p_id=139420&atid=744358
>
> http://www.debian.org/security/2009/dsa-1728
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-03-04 18:27:58 UTC 
good to know it's fixed already

*dkim-milter-2.8.1 (17 Jan 2009)

  17 Jan 2009; Daniel Black <dragonheart@gentoo.org>
  -files/dkim-milter-2.7.0-gentoo.patch,
  -files/dkim-milter-2.7.2-gentoo.patch, -dkim-milter-2.7.0.ebuild,
  -dkim-milter-2.7.2.ebuild, -dkim-milter-2.8.0.ebuild,
  +dkim-milter-2.8.1.ebuild:
  version bump that fixes security vulnerability (dkim validation weakness -
  see release notes). old vulnerable versions removed
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-06 09:41:34 UTC 
CVE-2009-0770 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0770):
  dkim-milter 2.6.0 through 2.8.0 allows remote attackers to cause a
  denial of service (crash) by signing a message with a key that has
  been revoked in DNS, which triggers an assertion error.