Hello, last month as part of Freexian onboarding I tried to work on pdns: https://security-tracker.debian.org/tracker/source-package/pdns I backported patches for CVE-2020-17482 and CVE-2019-10203 to https://salsa.debian.org/enrico/pdns/-/tree/stretch For CVE-2022-27227, available patches touch code that mostly didn't exist in 4.0.3, and zeha commented on IRC: > do you have actual users on 4.0.x which are -actually- affected by the > IXFR things? i think if one uses 4.0.x to run a domain on the public > internet, you'll have other problems It looks like a case for tagging as no-dsa: would you agree? That leaves CVE-2020-17482 and CVE-2019-10203 pending. pdns has no test suite, and I'm unable to smoke test it manually, so it feels irresponsible for me to make a DLA without testing. I left a note of this in dla-needed.txt: is that enough, or would you like me to do something else not to leave this work unfinished? Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Attachment:
signature.asc
Description: PGP signature