G'day This is my first post to this list - so bear with me...
OpenBSD has not yet replaced BIND with NSD + Unbound, but NSD 3.2.9 is enabled in 5.1 builds. This version has at least 2 known CVE's that have been fixed with upstream releases: 3.2.12: Fix for VU#624931 CVE-2012-2978: NSD denial of service vulnerability from non-standard DNS packet from any host on the internet. 3.2.13: Bugfix #461 (VU#517036 CVE-2012-2979): NSD denial of service vulnerability from DNS packet when using --enable-zone-stats. As of changelog, 5.2 will come with 3.2.12, closing CVE-2012-2978. Only -current has 3.2.13, closing CVE-2012-2979. I have not found a patch for in 5.1 erratas so far. Does not-providing a patch for OpenBSD 5.1's nsd mean, it is not vulnerable to mentioned CVE's? Or because BIND is still the default nameserver that providing patches for nsd is out of scope for the 5.1-stable? I'ld like to better understand after reading man and docs so far. Best regards, Mat
