| Summary: | <net-dns/nsd-4.1.11: Malicious primary DNS servers can crash secondaries | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | trivial | CC: | polynomial-c | ||||
| Priority: | Normal | ||||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://www.openwall.com/lists/oss-security/2016/07/06/3 | ||||||
| Whiteboard: | ~3 [noglsa] | ||||||
| Package list: | Runtime testing required: | --- | |||||
| Attachments: |
|
||||||
According to the ChangeLog of nsd-4.1.11 this has been fixed. @Tom: Can we stabilize this version anytime soon? I did a quick test and a simple version bump will do fine for 4.1.11 (after removing the nsd-4.1.10 specific ipv6 patch, which is included upstream in 4.1.11). As far as the glsa tag in whiteboard: the nsd developers didn't think an emergency release for this issue was necessary. But the Security should have the final take on the glsa anyway. Created attachment 444200 [details]
$ diff -u /usr/portage/net-dns/nsd/nsd-4.1.10.ebuild nsd-4.1.11.ebuild
No version of this package has ever been stabilized. Dunno if it's still woth a GLSA. I mean "worth" of course. No stable versions, closing as noglsa. Is 3.2.22 not affected by this?(In reply to Yury German from comment #6) > No stable versions, closing as noglsa. Closing. |
From ${URL} : It turns out that most DNS server implementations do not implement reasonable restrictions for zone sizes. This allows an explicitly configured primary DNS server for a zone to crash a secondary DNS server, affecting service of other zones hosted on the same secondary server. Some references: https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015058.html https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015075.html https://gitlab.labs.nic.cz/labs/knot/merge_requests/541 https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790 PowerDNS is reportedly affected as well, but I did not find a public bug for this issue. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.