Re: wheezy-specific bind9 issue

To: debian-lts@lists.debian.org
Cc: 839051@bugs.debian.org
Subject: Re: wheezy-specific bind9 issue
From: "Shaun Bugler - Hetzner (Pty) Ltd" <sb@hetzner.co.za>
Date: Thu, 6 Oct 2016 12:24:36 +0200
Message-id: <[🔎] ed2d6505-53e6-95a3-3a9d-535721d4a216@hetzner.co.za>
In-reply-to: <[🔎] alpine.DEB.2.02.1610041948450.8633@jupiter.server.alteholz.net>
References: <87vaxglckw.fsf@mid.deneb.enyo.de> <[🔎] alpine.DEB.2.02.1610041948450.8633@jupiter.server.alteholz.net>

On 04/10/2016 19:52, Thorsten Alteholz wrote:

Hi Florian,

On Wed, 28 Sep 2016, Florian Weimer wrote:

While trying to write a reproducer for CVE-2016-2776, I discovered
that the 1:9.8.4.dfsg.P1-6+nmu2+deb7u10 version in wheezy would crash,
while unpatched jessie and upstream would not:

 <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839051>

This might be due to an incomplete fix for CVE-2015-5477.  If the
entire fix is missing, you can probably reuse the CVE ID.  If not,
please let us know, and we'll assign a new ID once you have a patch.

according to [1] the fix for CVE-2015-5477 is just one line, which isapplied correctly in 9.8.4.dfsg.P1-6+nmu2+deb7u6.Also 9.8.4.dfsg.P1-6+nmu2+deb7u2 crashes as well with your script, sothis seems to be a different problem.


  Thorsten

[1] https://kb.isc.org/getAttach/118/AA-01272/cve-2015-5477.patch.txt

I think we are dealing with a different problem here, as Thorsten saysthe patch for CVE-2015-5477 seems to be applied correctly in code, yet

9.8.4.dfsg.P1-6+nmu2+deb7u11 is still affected:
http://pastebin.com/2hV7vdzg

The version in jessie ,9.9.5.dfsg-9+deb8u7, is unaffected.

Shaun

Reply to:

References:
- Re: wheezy-specific bind9 issue
  - From: Thorsten Alteholz <debian@alteholz.de>

Prev by Date: Re: version number when packaging a new upstream release
Next by Date: Re: systemd CVE-2016-7796
Previous by thread: Re: wheezy-specific bind9 issue
Next by thread: Re: graphicsmagick packaging
Index(es):
- Date
- Thread