[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CVE-2012-1033 (bind9)

Hello folks,

If we look here:

http://security-tracker.debian.org/tracker/CVE-2012-1033

it appears as though this CVE has been written off as a DNS protocol
flaw, I believe based on the original ISC announcement here:

https://www.isc.org/software/bind/advisories/cve-2012-1033 (first
sentence under Solution: )

Now, I don't disagree with you, however, ISC have subsequently issued
a patch which mitigates (a bit lamely, IMHO) the problem (second
paragraph of Solution: **Delayed Update of 29 May --) and this
upstream patch hasn't found it's way into debian, I suspect because of
this delay.

Whether this is a real security issue or not (bun fight!), it causes a
problem with verifying debian systems as PCI DSS complaint because
there _is_ an upstream patch to mitigate the problem which isn't
applied to debian packages.  "Not known to be vulnerable" is not quite
the same strength of statement as "fixed", and then we're into "you
must upgrade to the latest version" hell.

Is there any chance you could see your way to patch in "3282. [bug]
Restrict the TTL of NS RRset to no more than that of the old NS RRset
when replacing it.  [RT #27792] [RT #27884]" from upstream so that we
can have a "fixed" status?  It might even improve security, you never
know.

Finally, I'd like to take this opportunity to offer my thanks for your
truly outstanding work.  I've been a debian advocate for a long time
now, I couldn't do that, or my job as it stands, without the security
team making debian stable a viable (awesome) platform.

-- 
--------------------------------------------

Mike Ashton
Head of Technical Operations       пиво царь
moo.com

::  email | mike@moo.com

--------------------------------------------

MOO Print Ltd
32 Scrutton Street (Rear)
London
EC2A 4RQ
+44(0) 207 392 2781 (x1022)

--------------------------------------------
Reply to: