Re: Bug#653838: Inadequate source of entropy in recursive queries: maradns
I reckon there must be some confusion here. The description in
CVE-2011-5056 does not match the link to Sam's blog. SO I have no idea
what is going on there. In any case if the attack vector is crafting
authoritative DNS records, then the system would have to be compromised
in other ways to make that possible.
I read CVE-2011-5055 as referring to the Sam's second patch attempting
to fix CVE-2012-0024. As such this is fixed in 1.4.09-1 and upwards.
The current proposed build update would fix CVE-2012-0024 and if I
understand it correctly CVE-2011-5055.
I'll go back to upstream and try to get some clarification.
On 14/01/12 12:18, Julien Cristau wrote:
> On Thu, Jan 12, 2012 at 22:55:10 +0000, Nicholas Bamber wrote:
>> Comments below. What is the next step?
> On http://security-tracker.debian.org/tracker/source-package/maradns I
> see three issues: CVE-2011-5055, CVE-2011-5056 and CVE-2012-0024. Which
> one is this fixing, and what's the status of the 2011-505* ones in
> unstable? They're listed as unfixed in the tracker.
Nicholas Bamber | http://www.periapt.co.uk/
PGP key 3BFFE73C from pgp.mit.edu