Bug 204351 (CVE-2008-0061)

Summary:	net-dns/maradns < 1.2.12.09 CNAME Remote DoS (CVE-2008-0061)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	matsuu
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://maradns.blogspot.com/2007/08/maradns-update-all-versions.html
Whiteboard:	B3 [glsa]
Package list:		Runtime testing required:	---

Description Robert Buchholz (RETIRED) gentoo-dev

2008-01-04 23:50:25 UTC

CVE-2008-0061 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0061):
  MaraDNS 1.0 before 1.0.41, 1.2 before 1.2.12.08, and 1.3 before 1.3.07.04
  allows remote attackers to cause a denial of service via a crafted DNS packet
  that prevents an authoritative name (CNAME) record from resolving, aka
  "improper rotation of resource records."

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-01-04 23:51:40 UTC

Matsuu, please advise.

Comment 2 MATSUU Takuto (RETIRED) gentoo-dev

2008-01-06 03:11:19 UTC

1.2.12.09 and 1.3.07.08 in cvs.

please mark stable 1.2.12.09

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-01-06 08:49:47 UTC

Thx MATSUU.

Arches please test and mark stable. Target keywords are:
maradns-1.2.12.09.ebuild:KEYWORDS="amd64 ppc sparc x86"

Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev

2008-01-06 18:26:26 UTC

ppc stable

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev

2008-01-06 18:40:22 UTC

x86 stable

Comment 6 Raúl Porcel (RETIRED) gentoo-dev

2008-01-06 22:09:00 UTC

sparc stable

Comment 7 Peter Weller (RETIRED) gentoo-dev

2008-01-16 16:06:19 UTC

amd64 done.

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-01-16 19:07:13 UTC

This one is ready for GLSA vote. I vote YES.

Comment 9 Robert Buchholz (RETIRED) gentoo-dev

2008-01-27 19:19:07 UTC

yes, filed.

Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2008-01-29 23:07:09 UTC

GLSA 200801-16 sent, thanks everybody