On 10/11/12 15:10, intrigeri wrote:
tags 690075 + moreinfo
thanks
Hi Moritz,
Moritz Muehlenhoff wrote (09 Oct 2012 17:51:26 GMT) :
Please unblock package dnsmasq
It fixes CVE-2012-3411
unblock dnsmasq/2.63-4
The new upstream version includes quite a few changes that are
unrelated to the security fix, which probably partly explains why
nobody reviewed the proposed changes yet.
However, determining which exact set of patches should be backported
from upstream to fix this issue is not trivial, and I guess that's why
Moritz asks for the whole think to be unblocked:
54dd393 (Add --bind-dynamic) is obvious, but a few follow-up commits
come to fix the problems brought by the initial implementation; at
least these two ones seem needed:
* 2b5bae9 -- Fall back from --bind-dynamic to --bind-interfaces in
BSD, rather than quitting
* 5f11b3e -- Cope with --listen-address for not yet existent addr in
bind-dynamic mode
... and I would not bet that's enough.
Simon, are you interested in listing the commits that are needed,
on top of 2.62-3, to fix CVE-2012-3411 without breaking anything?
I'd strongly suggest moving to 2.63-4, rather than backporting. The
changes for the security fix are not trivial, and probablity of
introducing a bug backporting is much larger that the probablity that
there's an un-found bug in 2.63 which is not in 2.62. There are no
intended backwards incompatibilities between 2.63 and 2.62, and no
un-intended ones have been found in the three months since 2.63 was
released.
Cheers,
Simon.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
