On 2012-09-20, Mathieu Simon <mathieu....@gmail.com> wrote: > G'day > > This is my first post to this list - so bear with me... > > OpenBSD has not yet replaced BIND with NSD + Unbound, but NSD 3.2.9 is > enabled in 5.1 builds. This version has at least 2 known CVE's that > have been fixed with upstream releases: > > 3.2.12: > Fix for VU#624931 CVE-2012-2978: NSD denial of service vulnerability > from non-standard DNS packet from any host on the internet. > > 3.2.13: > Bugfix #461 (VU#517036 CVE-2012-2979): NSD denial of service > vulnerability from DNS packet when using --enable-zone-stats. > > > As of changelog, 5.2 will come with 3.2.12, closing CVE-2012-2978. > Only -current has 3.2.13, closing CVE-2012-2979.
CVE-2012-2979 isn't relevant as it's a non-standard build option that we don't use. > I have not found a patch for in 5.1 erratas so far. I've just committed a fix for CVE-2012-2978 to 5.1-stable, but I don't have time to handle issuing errata at the moment.
