On Fri, Aug 02, 2024 at 10:55:55AM -0300, Eduardo M KALINOWSKI wrote:
> On 02/08/2024 10:44, Roberto C. Sánchez wrote:
> > On Fri, Aug 02, 2024 at 10:15:38AM -0300, Eduardo M KALINOWSKI wrote:
> > > Maybe related to https://kb.isc.org/docs/rrset-limits-in-zones ?
> > >
> > > See also
> > > https://lists.debian.org/debian-security-announce/2024/msg00145.html (even
> > > if it does not directly apply to buster).
> > >
> > That seems unlikely, as the bind9 package in buster have not yet been
> > updated to fix the CVEs referenced in that particular DSA.
> >
> > Brian, can you provide more details about what specific packages were
> > updated and from what version to what version? You can find that
> > information in /var/log/dpkg.log*.
>
> buster has a new upstream version 9.20.0, which includes the new
> configuration options, and a default limit of 100 for each when they're not
> set (according the the first link).
>
That new upstream version (9.20.0) is in sid/trixie. Buster has this:
root@build01:/# cat /etc/debian_version
10.13
root@build01:/# apt-cache policy bind9
bind9:
Installed: (none)
Candidate: 1:9.11.5.P4+dfsg-5.1+deb10u11
Version table:
1:9.11.5.P4+dfsg-5.1+deb10u11 500
500 http://security.debian.org buster/updates/main amd64 Packages
1:9.11.5.P4+dfsg-5.1+deb10u7 500
500 http://deb.debian.org/debian buster/main amd64 Packages
This matches what is listed in the PTS [0].
[0] https://tracker.debian.org/pkg/bind9
--
Roberto C. Sánchez
