Bug#772622: marked as done (CVE-2014-8602: denial of service with endless delegations)

Fri, 12 Dec 2014 11:09:28 -0800 

Your message dated Fri, 12 Dec 2014 19:04:13 +0000
with message-id <[email protected]>
and subject line Bug#772622: fixed in unbound 1.4.6-1+squeeze4
has caused the Debian Bug report #772622,
regarding CVE-2014-8602: denial of service with endless delegations
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
772622: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772622
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: unbound
Severity: grave
Tags: security
Justification: user security hole

Hi,

as you may already know, a vulnerability in several recursive DNS
implementations (bind, pdns-recursor and unbound, maybe others) has been
found by a research.

For unbound, it has been assigned CVE-2014-8602 and more information can
be found on the mailing list post at
https://unbound.net/pipermail/unbound-users/2014-December/003662.html

It's not crystal clear which versions are currently vulnerable so at
first sight I'd say all. Can you prepare updated packages for Wheezy,
Jessie/Sid including only the patch linked in the above mail?

For Wheezy you need to build with -sa (since it's the first security
upload) and target wheezy-security distribution. Then you send us the
debdiff so we can have a quick check, and after our ACK you can upload
to security-master and we release the DSA.

For Jessie, you'll have to make a minimal upload to sid, and ask an
unblock to the release team.

Don't forget to put the CVE number in the changelog.

If you need any help with the above, don't hesitate to contact us.

Regards,
-- 
Yves-Alexis Perez
Debian security team

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (450, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
Source: unbound
Source-Version: 1.4.6-1+squeeze4

We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <[email protected]> (supplier of updated unbound package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 12 Dec 2014 18:34:57 +0100
Source: unbound
Binary: unbound unbound-host libunbound2 libunbound-dev
Architecture: source i386
Version: 1.4.6-1+squeeze4
Distribution: squeeze-lts
Urgency: high
Maintainer: Robert S. Edmonds <[email protected]>
Changed-By: Thorsten Alteholz <[email protected]>
Description: 
 libunbound-dev - static library, header files, and docs for libunbound
 libunbound2 - library implementing DNS resolution and validation
 unbound    - validating, recursive, caching DNS resolver
 unbound-host - reimplementation of the 'host' command
Closes: 772622
Changes: 
 unbound (1.4.6-1+squeeze4) squeeze-lts; urgency=high
 .
    * Fix CVE-2014-8602: denial of service by making resolver chase endless
      series of delegations; closes: #772622.
Checksums-Sha1: 
 350e8eb0b10adb884bf2201aa105a91eeb073cbe 2042 unbound_1.4.6-1+squeeze4.dsc
 b0d7c58f173c5c80cc81345f6766555f96bde20d 4384085 unbound_1.4.6.orig.tar.gz
 8523e9918ea6ec7a0c5b7b174aaa00b88646e141 10486 unbound_1.4.6-1+squeeze4.diff.gz
 ee9552fb5ce7e49ab4647e6f349d3bf8726685ea 769106 
unbound_1.4.6-1+squeeze4_i386.deb
 ec1abc9092bc50b40f14cba5055015a51a1dc063 71270 
unbound-host_1.4.6-1+squeeze4_i386.deb
 691009d25552457062bd508b95b4d2474b4deee2 284754 
libunbound2_1.4.6-1+squeeze4_i386.deb
 d7e9c643806986eb063735e4862fb3ce6310abf8 343418 
libunbound-dev_1.4.6-1+squeeze4_i386.deb
Checksums-Sha256: 
 4ade32c711ac6406e38004a36c0fe68d7824dd01cae9f6497166498e5aaf8f8d 2042 
unbound_1.4.6-1+squeeze4.dsc
 9c2ce107b551dbd65d007549caea13ecba7dd30d690821f2bafa9da2d047b9de 4384085 
unbound_1.4.6.orig.tar.gz
 1bde52b5dda82690a6dac9df0c73f3951359df8de4838a51807a28ca50939716 10486 
unbound_1.4.6-1+squeeze4.diff.gz
 c9a5a326068dab686da53261703b51393fa5eab8181246566d361bb86b67c378 769106 
unbound_1.4.6-1+squeeze4_i386.deb
 345a958d0c0af98a43e5e59bc55a6c13e5ff64b3e7dd61909cf42af530a5c746 71270 
unbound-host_1.4.6-1+squeeze4_i386.deb
 935e287183f4f1d2270c448dbca502c2c2bf3e3af420d207735d15c2ad0cef85 284754 
libunbound2_1.4.6-1+squeeze4_i386.deb
 9a6a8d321364cf69040c518fbfe9ad96ceb5f5b7fd842f70c0f9bacc6b708ed3 343418 
libunbound-dev_1.4.6-1+squeeze4_i386.deb
Files: 
 0b35805ab7fb30a0e7b0df60e30c242e 2042 net optional unbound_1.4.6-1+squeeze4.dsc
 2cdcfe0ca45373c6b22e274560ae9943 4384085 net optional unbound_1.4.6.orig.tar.gz
 2eecd319645122a5a9b95a3d6420d245 10486 net optional 
unbound_1.4.6-1+squeeze4.diff.gz
 60febb1fa23f600ae614d43bd36f7ffa 769106 net optional 
unbound_1.4.6-1+squeeze4_i386.deb
 27c0e6359d129e114c28e75299fb8d3e 71270 net optional 
unbound-host_1.4.6-1+squeeze4_i386.deb
 037b0aadbd54060bab7441f97492e3d6 284754 net optional 
libunbound2_1.4.6-1+squeeze4_i386.deb
 096e50b9360da5779efb80682c5970c5 343418 libdevel optional 
libunbound-dev_1.4.6-1+squeeze4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUizhMXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHBAIP/ixZjvDN9H3BMLMGaSa7vrPB
pia5lkgQzJ3Bt/wDRx4IFdyESgdQNM0RzAZGd3rDU0JjNAgYTLBuLQsU2ldxDI9G
tz/42Vii7XSYsqahBvRDvYTmtEjSsWRqjeQw7Hra05Fqwx36SJD9EkxqmU32UO9H
W4lVe4wOhFkomPVoRp5nVrdjX+szZXyJmfJWOPIry93kb4ZYPL4ujUI/uO8Om/oO
cpAajg8tn44oGQDY6he3zO3lFYNejuHKNsSjEOey54ZFTohjhTUWhUocuek6p7dl
YrQXcaFjBUvyqQwHWuksN9PYXba1yc5AcOVh6WO3TTwM615v8ukCQ+0EmQTJrpcw
ThLi9BhgT0z97ZjGXFYRXj1fEKkt/oacjoPtTjXfLr0YpPXGnsHuT/4dDqWkk/zG
Q4IrnBOzCeFb1EzxH17/bW2+GYiLTjk5xi/vX2HALy2Vdcod/buzs4kdnCFYCF9P
SsT5sMqEgRFa/lvKIF98vedxsX41Pfq99+mYcFpOy7lUD6DLsm2EoIoQV5INhPSb
BFthZe3pjWWApqArnelCc4Dq9MGUc4weWsU+11j0LJLGKt5huUzdGEykCzwFXOXT
8Z3T57Pl5jwMXqINpeUw1AIsTWUeqMQlvEmFs8qVJo6cSR7mMdSaS/pkOwPIzQTu
zvtcfiOoxOzJabkxPOfp
=XTYp
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to