Your message dated Sat, 07 Oct 2017 11:33:55 +0100
with message-id <1507372435.18586.64.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 9.2 point release
has caused the Debian Bug report #872928,
regarding stretch-pu: package dnsdist/1.1.0-2+deb9u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
872928: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872928
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
this update fixes low-severity CVEs CVE-2016-7069, CVE-2017-7557,
purely based on version-targetted patches from upstream.
Thanks,
Chris
diff -Nru dnsdist-1.1.0/debian/changelog dnsdist-1.1.0/debian/changelog
--- dnsdist-1.1.0/debian/changelog 2016-12-31 15:50:47.000000000 +0000
+++ dnsdist-1.1.0/debian/changelog 2017-08-22 13:58:05.000000000 +0000
@@ -1,3 +1,10 @@
+dnsdist (1.1.0-2+deb9u1) stretch; urgency=medium
+
+ * Fix CVE-2016-7069, CVE-2017-7557 using patches from upstream
+ (Closes: #872854)
+
+ -- Christian Hofstaedtler <z...@debian.org> Tue, 22 Aug 2017 13:58:05 +0000
+
dnsdist (1.1.0-2) unstable; urgency=medium
* Bump debhelper compat to 10 for systemd support.
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch
dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch
--- dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch 1970-01-01
00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch 2017-08-22
13:58:05.000000000 +0000
@@ -0,0 +1,37 @@
+--- a/dnsdist-ecs.cc
++++ b/dnsdist-ecs.cc
+@@ -392,26 +392,29 @@ void handleEDNSClientSubnet(char* const packet, const
size_t packetSize, const u
+ static int removeEDNSOptionFromOptions(unsigned char* optionsStart, const
uint16_t optionsLen, const uint16_t optionCodeToRemove, uint16_t* newOptionsLen)
+ {
+ unsigned char* p = optionsStart;
+- const unsigned char* end = p + optionsLen;
+- while ((p + 4) <= end) {
++ size_t pos = 0;
++ while ((pos + 4) <= optionsLen) {
+ unsigned char* optionBegin = p;
+ const uint16_t optionCode = 0x100*p[0] + p[1];
+ p += sizeof(optionCode);
++ pos += sizeof(optionCode);
+ const uint16_t optionLen = 0x100*p[0] + p[1];
+ p += sizeof(optionLen);
+- if ((p + optionLen) > end) {
++ pos += sizeof(optionLen);
++ if ((pos + optionLen) > optionsLen) {
+ return EINVAL;
+ }
+ if (optionCode == optionCodeToRemove) {
+- if (p + optionLen < end) {
++ if (pos + optionLen < optionsLen) {
+ /* move remaining options over the removed one,
+ if any */
+- memmove(optionBegin, p + optionLen, end - (p + optionLen));
++ memmove(optionBegin, p + optionLen, optionsLen - (pos + optionLen));
+ }
+ *newOptionsLen = optionsLen - (sizeof(optionCode) + sizeof(optionLen) +
optionLen);
+ return 0;
+ }
+ p += optionLen;
++ pos += optionLen;
+ }
+ return ENOENT;
+ }
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc
dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc
--- dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc 1970-01-01
00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2016-7069.patch.asc 2017-08-22
13:58:05.000000000 +0000
@@ -0,0 +1,12 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAlmcNN0aHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZjugf9FqmZzPzql6A8yvqix4lj
+/dXYIuuoIqt2NKIZlKkf4QsMO9fhF+AC6WkPessodAExkyB4IdxrmneumWvVNRpO
+beXT+2l6COKjvDkmYvc+5qKDUPEYHxvh6G1dBFDSGvn5AH5uZI2xXko7R3NdA2m+
+hThY37mkDSsiHrqWGNjj6/DoWIJFeU7gRg2aHkos68JiNdIhai6LMYerwecu4v1b
+6Y5xG6hI85Ofn25xKbXNBjAlj1vYJS8/nMYqqWdxD+eIFKX9FkClwE9IkOdqmyRv
+K0vceChANzLvnIzIcYm81AgKTKqPAoQMQP/0L+IG4hSwVTytHLeajsbQ/XRFDUUW
+Gg==
+=+FBw
+-----END PGP SIGNATURE-----
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch
dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch
--- dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch 1970-01-01
00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch 2017-08-22
13:58:05.000000000 +0000
@@ -0,0 +1,123 @@
+--- a/dnsdist-web.cc
++++ b/dnsdist-web.cc
+@@ -79,13 +79,28 @@ static void apiSaveACL(const NetmaskGroup& nmg)
+ apiWriteConfigFile("acl", content);
+ }
+
+-static bool compareAuthorization(YaHTTP::Request& req, const string
&expected_password, const string& expectedApiKey)
++static bool checkAPIKey(const YaHTTP::Request& req, const string&
expectedApiKey)
+ {
+- // validate password
+- YaHTTP::strstr_map_t::iterator header = req.headers.find("authorization");
+- bool auth_ok = false;
+- if (header != req.headers.end() && toLower(header->second).find("basic ")
== 0) {
+- string cookie = header->second.substr(6);
++ if (expectedApiKey.empty()) {
++ return false;
++ }
++
++ const auto header = req.headers.find("x-api-key");
++ if (header != req.headers.end()) {
++ return (header->second == expectedApiKey);
++ }
++
++ return false;
++}
++
++static bool checkWebPassword(const YaHTTP::Request& req, const string
&expected_password)
++{
++ static const char basicStr[] = "basic ";
++
++ const auto header = req.headers.find("authorization");
++
++ if (header != req.headers.end() && toLower(header->second).find(basicStr)
== 0) {
++ string cookie = header->second.substr(sizeof(basicStr) - 1);
+
+ string plain;
+ B64Decode(cookie, plain);
+@@ -93,24 +108,46 @@ static bool compareAuthorization(YaHTTP::Request& req,
const string &expected_pa
+ vector<string> cparts;
+ stringtok(cparts, plain, ":");
+
+- // this gets rid of terminating zeros
+- auth_ok = (cparts.size()==2 && (0==strcmp(cparts[1].c_str(),
expected_password.c_str())));
++ if (cparts.size() == 2) {
++ return cparts[1] == expected_password;
++ }
+ }
+- if (!auth_ok && !expectedApiKey.empty()) {
+- /* if this is a request for the API,
+- check if the API key is correct */
+- if (req.url.path=="/jsonstat" ||
+- req.url.path=="/api/v1/servers/localhost" ||
+- req.url.path=="/api/v1/servers/localhost/config" ||
+- req.url.path=="/api/v1/servers/localhost/config/allow-from" ||
+- req.url.path=="/api/v1/servers/localhost/statistics") {
+- header = req.headers.find("x-api-key");
+- if (header != req.headers.end()) {
+- auth_ok = (0==strcmp(header->second.c_str(), expectedApiKey.c_str()));
+- }
++
++ return false;
++}
++
++static bool isAnAPIRequest(const YaHTTP::Request& req)
++{
++ return req.url.path.find("/api/") == 0;
++}
++
++static bool isAnAPIRequestAllowedWithWebAuth(const YaHTTP::Request& req)
++{
++ return req.url.path == "/api/v1/servers/localhost";
++}
++
++static bool isAStatsRequest(const YaHTTP::Request& req)
++{
++ return req.url.path == "/jsonstat";
++}
++
++static bool compareAuthorization(const YaHTTP::Request& req, const string
&expected_password, const string& expectedApiKey)
++{
++ if (isAnAPIRequest(req)) {
++ /* Access to the API requires a valid API key */
++ if (checkAPIKey(req, expectedApiKey)) {
++ return true;
+ }
++
++ return isAnAPIRequestAllowedWithWebAuth(req) && checkWebPassword(req,
expected_password);
++ }
++
++ if (isAStatsRequest(req)) {
++ /* Access to the stats is allowed for both API and Web users */
++ return checkAPIKey(req, expectedApiKey) || checkWebPassword(req,
expected_password);
+ }
+- return auth_ok;
++
++ return checkWebPassword(req, expected_password);
+ }
+
+ static bool isMethodAllowed(const YaHTTP::Request& req)
+@@ -126,9 +163,9 @@ static bool isMethodAllowed(const YaHTTP::Request& req)
+ return false;
+ }
+
+-static void handleCORS(YaHTTP::Request& req, YaHTTP::Response& resp)
++static void handleCORS(const YaHTTP::Request& req, YaHTTP::Response& resp)
+ {
+- YaHTTP::strstr_map_t::iterator origin = req.headers.find("Origin");
++ const auto origin = req.headers.find("Origin");
+ if (origin != req.headers.end()) {
+ if (req.method == "OPTIONS") {
+ /* Pre-flight request */
+@@ -142,7 +179,10 @@ static void handleCORS(YaHTTP::Request& req,
YaHTTP::Response& resp)
+ }
+
+ resp.headers["Access-Control-Allow-Origin"] = origin->second;
+- resp.headers["Access-Control-Allow-Credentials"] = "true";
++
++ if (isAStatsRequest(req) || isAnAPIRequestAllowedWithWebAuth(req)) {
++ resp.headers["Access-Control-Allow-Credentials"] = "true";
++ }
+ }
+ }
+
diff -Nru dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc
dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc
--- dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc 1970-01-01
00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/CVE-2017-7557-1.1.0.patch.asc 2017-08-22
13:58:05.000000000 +0000
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQFNBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAlmcNNYaHHJlbWkuZ2Fj
+b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEYw+Qf3eZKM2q3WXjmX1up/63Nr
+BqjWHCasVxEG30NA+yGMVumuTol84AuO2t7mpZROxIu0SHlcnYNn0ehoSLI7KdJG
+8ZDzJVWKMCW1hScdIPjIu4PEHyjHB+ws5ty8Z92Oz6k/vp4t/LVTwrMDXzBbpfET
+TxujIcIGPJGjZFZoH64TQ5wSM+t4LzvjxdoUCmCMghfa9lPr9pqPoG6hnpU59Xn0
+7dIOYzECDLe/xNTp0dEe+pncAhEprsKPeqSVMwpZWYq7Zk0IK1I/uAiUp7t48EJU
+NsWLovH98eL+dTLKd/j/Zc+sfiG/0sKlQsLygqHy54zc9e2FR2Kz5BKNaYcttbwq
+=B1Fh
+-----END PGP SIGNATURE-----
diff -Nru dnsdist-1.1.0/debian/patches/series
dnsdist-1.1.0/debian/patches/series
--- dnsdist-1.1.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ dnsdist-1.1.0/debian/patches/series 2017-08-22 13:58:05.000000000 +0000
@@ -0,0 +1,2 @@
+CVE-2016-7069.patch
+CVE-2017-7557-1.1.0.patch
--- End Message ---
--- Begin Message ---
Version: 9.2
Hi.
The updates referenced by each of these bugs was included in today's
point release of stretch.
Regards,
Adam
--- End Message ---
