Inadequate source of entropy in recursive queries: maradns

To: "debian-release@lists.debian.org" <debian-release@lists.debian.org>
Cc: 653838@bugs.debian.org
Subject: Inadequate source of entropy in recursive queries: maradns
From: Nicholas Bamber <nicholas@periapt.co.uk>
Date: Sat, 31 Dec 2011 14:30:04 +0000
Message-id: <[🔎] 4EFF1C6C.4080801@periapt.co.uk>

As per the attached email, I wonder if you would be interested in point
releases for the old versions of maradns to fix #653838 and what the
relevant timescales would be.

There is also the question of unarchiving and fixing #584587 in the
lenny  version whilst we still have the chance.

--- Begin Message ---

To: Nicholas Bamber <nicholas@periapt.co.uk>
Cc: team@security.debian.org
Subject: Re: Fwd: [MaraDNS list] MaraDNS 1.4.08 and MaraDNS 1.3.07.12 released
From: Thijs Kinkhorst <thijs@debian.org>
Date: Sat, 31 Dec 2011 13:37:19 +0100
Message-id: <201112311337.20703.thijs@debian.org>
In-reply-to: <4EFE0E78.70204@periapt.co.uk>
References: <4EFE0E78.70204@periapt.co.uk>

Hi Nicholas,

Op vrijdag 30 december 2011 20:18:16 schreef Nicholas Bamber:
> As per this email I am preparing 1.4.08-1 of the maradns package. I am
> wondering what your view would be about the old versions of maradns. It
> dies not look like a very large patch.

Thanks. You should indeed upload 1.4.09 to unstable and set urgency=medium.

Talking about updating (old)stable. I've been pondering the issue a while. My 
preliminary conclusion is that this is an issue worth fixing, because breaking 
DNS of course breaks an entire network, but especially because MaraDNS 
advertises itself as a 'security-focused' product specifically.

However, in order to exploit it, one needs to allow untrusted users to perform 
recursive queries. As we all know, allowing the general public to perform 
recursive queries on your server is considered a security problem to begin 
with, so we can expect this not to be a very common case. Of course there will 
be an installation here or there that caters to some internal network on which 
not everyone is fully trusted, but that seems like a border case to me.

So concluding, I would say that this issue is very fit for a stable point 
update, not a DSA. You should get in contact with the SRM's about this 
straight away, since a point release for squeeze is around the corner.
I would definitely also update Lenny, because (a) upstream has actually 
released a patch for the version in lenny, and (b) this month is the last 
chance to do so.

Are you available to take care of this?


Cheers,
Thijs

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---

Reply to:

Follow-Ups:
- Re: Inadequate source of entropy in recursive queries: maradns
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: NEW changes in oldproposedupdates
Next by Date: Re: Inadequate source of entropy in recursive queries: maradns
Previous by thread: Bug#653823: More info on Known Fixes
Next by thread: Re: Inadequate source of entropy in recursive queries: maradns
Index(es):
- Date
- Thread