Bug#699552: pu: package maradns/1.4.03-1.1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#699552: pu: package maradns/1.4.03-1.1
From: Jonathan Wiltshire <jmw@debian.org>
Date: Fri, 01 Feb 2013 16:43:35 +0000
Message-id: <20130201164335.22979.3325.reportbug@ernie.home.powdarrmonkey.net>
Reply-to: Jonathan Wiltshire <jmw@debian.org>, 699552@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Dear RMs,

Please accept this stable upload to fix #665012
(CVE-2012-1570: maradns deleted domain record cache persistance flaw). It is
an NMU as part of the PRSC effort.

The patch comes from upstream and is a direct copy of the original fix in
unstable.

 maradns-1.4.03/debian/changelog |    8 ++++++++
 server/recursive.c              |    8 ++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

Thanks.

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -u maradns-1.4.03/debian/changelog maradns-1.4.03/debian/changelog
--- maradns-1.4.03/debian/changelog
+++ maradns-1.4.03/debian/changelog
@@ -1,3 +1,11 @@
+maradns (1.4.03-1.1+squeeze1) stable; urgency=low
+
+  * Non-maintainer upload.
+  * Backport fix from upstream for CVE-2012-1570 (deleted domain record
+    cache persistence flaw). Closes: #665012
+
+ -- Jonathan Wiltshire <jmw@debian.org>  Fri, 01 Feb 2013 16:31:00 +0000
+
 maradns (1.4.03-1.1) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team
only in patch2:
unchanged:
--- maradns-1.4.03.orig/server/recursive.c
+++ maradns-1.4.03/server/recursive.c
@@ -1370,6 +1370,10 @@
     ttl = js_readuint32(server_reply,offset);
     if(ttl == JS_ERROR)
         return JS_ERROR;
+    if(ttl < 20)
+        ttl = 20;
+    if(ttl > 86400) /* One day; Ghost domain fix */
+        ttl = 86400;
     offset += 4;
     /* Get the rdlength of the SOA record */
     rdlength = js_readuint16(server_reply,offset);
@@ -2019,8 +2023,8 @@
                problems that Franky reported */
             if(ttl < 20)
                 ttl = 20;
-            if(ttl > 63072000) /* Two years */
-                ttl = 63072000;
+            if(ttl > 86400) /* One day; Ghost domain fix */
+                ttl = 86400;
             /* If this is a CNAME answer then we don't store it for over
              * 15 minutes */
             if(ttl > 900 && cname_original_record != 0)

Reply to:

Follow-Ups:
- Bug#699552: pu: package maradns/1.4.03-1.1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#699552: pu: package maradns/1.4.03-1.1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#699552: pu: package maradns/1.4.03-1.1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#699552: marked as done (pu: package maradns/1.4.03-1.1)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: Re: Bug#697190: unblock: virtuoso-opensource/6.1.4+dfsg1-2
Next by Date: Bug#698252: marked as done (pre-approve: re-adding phonon-backend-xine as transitional package)
Previous by thread: Bug#699335: unblock: r-cran-genabel/1.7-0-2
Next by thread: Bug#699552: pu: package maradns/1.4.03-1.1
Index(es):
- Date
- Thread