Re: Pending pdns updates

To: Enrico Zini <enrico@enricozini.org>
Cc: Debian Security Team <team@security.debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Pending pdns updates
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 8 Jun 2022 06:56:33 +0200
Message-id: <[🔎] YqAsAVAdwRxyC6Ce@eldamar.lan>
Mail-followup-to: Enrico Zini <enrico@enricozini.org>, Debian Security Team <team@security.debian.org>, Debian LTS <debian-lts@lists.debian.org>
In-reply-to: <[🔎] 20220606095359.jzebfr2mkkc54pvn@enricozini.org>
References: <[🔎] 20220606095359.jzebfr2mkkc54pvn@enricozini.org>

Hi Enrico,

On Mon, Jun 06, 2022 at 11:53:59AM +0200, Enrico Zini wrote:
> Hello,
> 
> last month as part of Freexian onboarding I tried to work on pdns:
> https://security-tracker.debian.org/tracker/source-package/pdns
> 
> I backported patches for CVE-2020-17482 and CVE-2019-10203
> to https://salsa.debian.org/enrico/pdns/-/tree/stretch
> 
> For CVE-2022-27227, available patches touch code that mostly didn't
> exist in 4.0.3, and zeha commented on IRC:
> 
> > do you have actual users on 4.0.x which are -actually- affected by the
> > IXFR things? i think if one uses 4.0.x to run a domain on the public
> > internet, you'll have other problems
> 
> It looks like a case for tagging as no-dsa: would you agree?

FWIW, for the regular security supported suites we in fact marked
CVE-2022-27227 already as no-dsa. Unauthoritative answer here, but I
guess I would do the same for pdns in stretch.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: Pending pdns updates
  - From: Enrico Zini <enrico@enricozini.org>

References:
- Pending pdns updates
  - From: Enrico Zini <enrico@enricozini.org>

Prev by Date: Re: Taking from backports - icingaweb2
Next by Date: buster & ntpd leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): will expire in less than 19 days
Previous by thread: Re: Pending pdns updates
Next by thread: Re: Pending pdns updates
Index(es):
- Date
- Thread