From ${URL} : It turns out that most DNS server implementations do not implement reasonable restrictions for zone sizes. This allows an explicitly configured primary DNS server for a zone to crash a secondary DNS server, affecting service of other zones hosted on the same secondary server. Some references: https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015058.html https://lists.dns-oarc.net/pipermail/dns-operations/2016-July/015075.html https://gitlab.labs.nic.cz/labs/knot/merge_requests/541 https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=790 PowerDNS is reportedly affected as well, but I did not find a public bug for this issue. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
According to the ChangeLog of nsd-4.1.11 this has been fixed. @Tom: Can we stabilize this version anytime soon?
I did a quick test and a simple version bump will do fine for 4.1.11 (after removing the nsd-4.1.10 specific ipv6 patch, which is included upstream in 4.1.11). As far as the glsa tag in whiteboard: the nsd developers didn't think an emergency release for this issue was necessary. But the Security should have the final take on the glsa anyway.
Created attachment 444200 [details] $ diff -u /usr/portage/net-dns/nsd/nsd-4.1.10.ebuild nsd-4.1.11.ebuild
No version of this package has ever been stabilized. Dunno if it's still woth a GLSA.
I mean "worth" of course.
No stable versions, closing as noglsa.
Is 3.2.22 not affected by this?(In reply to Yury German from comment #6) > No stable versions, closing as noglsa. Closing.