[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#690142: marked as done (remote named DoS on recursor (CVE-2012-5166))

Hi THere!

Just trying to avoid people wasting effort on bind9 NMU work.

I am working with LaMont Jones on an update for wheezy to bind9 9.8.4,
rebased on the ISC 9.8.4 code, which will definitely close #690569,
#690142, and may be #689755.  (The rest of the Important bugs appear to
be with old versions of bind9 before 9.7.x.)

The main reason is to reduce the work required for security patching and
to mostly eliminate the risk of introducing new bugs with the fixes.

It has been found that the data structures between ISC bind9 9.8.1 and
9.8.4 have markedly changed due to essential protocol fixes and security
fixes.  Applying patches is no longer that simple a matter, with a
considerable risk of introducing new bugs.

I originally adapted up the patch for bind9 9.8.1.dfsg.P1-4.2 , and was
proceeding to fix  #690569 "DNS wildcards fail to resolve with DNSsec
enabled" when I found that there was a serious risk of introducing new
new bugs, and desisted from NMUing bind9. (I was a professional C router

There is also the matter of "#689755 bind9: memory leak in named".  I am
currently working on an ISP DNS project based on wheezy, and have
observed some suspicious behaviour in this regard.  On reading the ISC
CHANGES file for 9.8.4, there are fixes that could be related to this
sort of behavior.

This is a notice that the bind9 9.8.1.dfsg.P1-4.x package might be
replaced, after going through the appropriate channels (Debian Release
Team). LaMont will be uploading our work to wheezy-proposed shortly.

A repository of work done so far is up at

Thank you very much for your patience.

Best Regards,

Matthew Grant

On 29/10/12 11:21, Debian Bug Tracking System wrote:
> Your message dated Sun, 28 Oct 2012 23:16:32 +0100
> with message-id <20121028221632.GA21297@spike.0x539.de>
> and subject line fixed in 9.8.1.dfsg.P1-4.3
> has caused the Debian Bug report #690142,
> regarding remote named DoS on recursor (CVE-2012-5166)
> to be marked as done.
> This means that you claim that the problem has been dealt with.
> If this is not the case it is now your responsibility to reopen the
> Bug report if necessary, and/or fix the problem forthwith.
> (NB: If you are a system administrator and have no idea what this
> message is talking about, this may indicate a serious mail system
> misconfiguration somewhere. Please contact owner@bugs.debian.org
> immediately.)

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: