[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#699552: pu: package maradns/1.4.03-1.1



Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Dear RMs,

Please accept this stable upload to fix #665012
(CVE-2012-1570: maradns deleted domain record cache persistance flaw). It is
an NMU as part of the PRSC effort.

The patch comes from upstream and is a direct copy of the original fix in
unstable.

 maradns-1.4.03/debian/changelog |    8 ++++++++
 server/recursive.c              |    8 ++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

Thanks.

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u maradns-1.4.03/debian/changelog maradns-1.4.03/debian/changelog
--- maradns-1.4.03/debian/changelog
+++ maradns-1.4.03/debian/changelog
@@ -1,3 +1,11 @@
+maradns (1.4.03-1.1+squeeze1) stable; urgency=low
+
+  * Non-maintainer upload.
+  * Backport fix from upstream for CVE-2012-1570 (deleted domain record
+    cache persistence flaw). Closes: #665012
+
+ -- Jonathan Wiltshire <jmw@debian.org>  Fri, 01 Feb 2013 16:31:00 +0000
+
 maradns (1.4.03-1.1) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team
only in patch2:
unchanged:
--- maradns-1.4.03.orig/server/recursive.c
+++ maradns-1.4.03/server/recursive.c
@@ -1370,6 +1370,10 @@
     ttl = js_readuint32(server_reply,offset);
     if(ttl == JS_ERROR)
         return JS_ERROR;
+    if(ttl < 20)
+        ttl = 20;
+    if(ttl > 86400) /* One day; Ghost domain fix */
+        ttl = 86400;
     offset += 4;
     /* Get the rdlength of the SOA record */
     rdlength = js_readuint16(server_reply,offset);
@@ -2019,8 +2023,8 @@
                problems that Franky reported */
             if(ttl < 20)
                 ttl = 20;
-            if(ttl > 63072000) /* Two years */
-                ttl = 63072000;
+            if(ttl > 86400) /* One day; Ghost domain fix */
+                ttl = 86400;
             /* If this is a CNAME answer then we don't store it for over
              * 15 minutes */
             if(ttl > 900 && cname_original_record != 0)

Reply to: