Your message dated Sat, 22 Jun 2019 20:39:49 +0200 with message-id <a4fce076-47cd-55d8-8ed8-afd267a0dbc7@debian.org> and subject line Re: Bug#930875: unblock: pdns/4.1.6-3 has caused the Debian Bug report #930875, regarding unblock: pdns/4.1.6-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 930875: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930875 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: pdns/4.1.6-3
- From: Chris Hofstaedtler <zeha@debian.org>
- Date: Fri, 21 Jun 2019 21:48:30 +0200
- Message-id: <[🔎] 156114651024.5502.4114498686541612528.reportbug@percival.namespace.at>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Dear Release Team, Please unblock package pdns 4.1.6-3 which contains fixes for two CVEs: CVE-2019-10162: Denial of service via crafted zone records CVE-2019-10163: Denial of service via NOTIFY packets Please find the debdiff from -2 below. Thanks, Chris unblock pdns/4.1.6-3 diff -Nru pdns-4.1.6/debian/changelog pdns-4.1.6/debian/changelog --- pdns-4.1.6/debian/changelog 2019-03-31 12:48:59.000000000 +0000 +++ pdns-4.1.6/debian/changelog 2019-06-21 19:07:07.000000000 +0000 @@ -1,3 +1,12 @@ +pdns (4.1.6-3) unstable; urgency=medium + + * Fix Denial of service via crafted zone records (CVE-2019-10162) + using patch from upstream. + * Fix Denial of service via NOTIFY packets (CVE-2019-10163) + using patch from upstream. + + -- Chris Hofstaedtler <zeha@debian.org> Fri, 21 Jun 2019 19:07:07 +0000 + pdns (4.1.6-2) unstable; urgency=high [ Salvatore Bonaccorso ] diff -Nru pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch --- pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch 1970-01-01 00:00:00.000000000 +0000 +++ pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch 2019-06-21 19:07:07.000000000 +0000 @@ -0,0 +1,29 @@ +diff --git pdns-4.1.8/pdns/mastercommunicator.cc pdns-4.1.8-invalidrecords/pdns/mastercommunicator.cc +index 456957a..ce0355c 100644 +--- pdns-4.1.8/pdns/mastercommunicator.cc ++++ pdns-4.1.8-invalidrecords/pdns/mastercommunicator.cc +@@ -50,6 +50,7 @@ void CommunicatorClass::queueNotifyDomain(const DomainInfo& di, UeberBackend* B) + FindNS fns; + + ++ try { + if (d_onlyNotify.size()) { + B->lookup(QType(QType::NS), di.zone); + while(B->get(rr)) +@@ -77,6 +78,16 @@ void CommunicatorClass::queueNotifyDomain(const DomainInfo& di, UeberBackend* B) + hasQueuedItem=true; + } + } ++ } ++ catch (PDNSException &ae) { ++ L << Logger::Error << "Error looking up name servers for " << di.zone << ", cannot notify: " << ae.reason << endl; ++ return; ++ } ++ catch (std::exception &e) { ++ L << Logger::Error << "Error looking up name servers for " << di.zone << ", cannot notify: " << e.what() << endl; ++ return; ++ } ++ + + set<string> alsoNotify(d_alsoNotify); + B->alsoNotifies(di.zone, &alsoNotify); diff -Nru pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc --- pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc 1970-01-01 00:00:00.000000000 +0000 +++ pdns-4.1.6/debian/patches/CVE-2019-10162-4.1.8-invalidrecords.patch.asc 2019-06-21 19:07:07.000000000 +0000 @@ -0,0 +1,12 @@ +-----BEGIN PGP SIGNATURE----- + +iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAl0I6mcaHHJlbWkuZ2Fj +b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZxXgf9G4rXQ3xmE6pPTnwkN+9P +nrqhjIrbhIS8t2KNVqLjUADhxHOli8lLj84f/fLnJgRabA5mz7iFVhpcHmocJADI +lldJsjke6qbG+oduP90TsOD0wTWvibdxpoyrQlE0KvZua7geI5nSudEAVFW/SdhQ +ynWGCgEodG35QkLOYlF19iSkd7x52Hx8MvMUF3YDZU/IjAVIIVmS4ZdaYz32T3ih +OfpMFcOsu7Lsk8RkecK9Hegkv9ohqXGGcfz8rGsyF0gBGqTOhZ2rPqEj66jG4x++ +wLNPOkFpJYKLW+tkPzj0ra56/zjmOPrWbZWlEORnlmrU9ZS9nYG5gfYJuPNAveCq +Mw== +=SR9f +-----END PGP SIGNATURE----- diff -Nru pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch --- pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch 1970-01-01 00:00:00.000000000 +0000 +++ pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch 2019-06-21 19:07:07.000000000 +0000 @@ -0,0 +1,16 @@ +diff --git pdns-4.1.8/pdns/communicator.cc pdns-4.1.8-busyloop/pdns/communicator.cc +index 7db5a3e..7fd59e4 100644 +--- pdns-4.1.8/pdns/communicator.cc ++++ pdns-4.1.8-busyloop/pdns/communicator.cc +@@ -136,7 +136,10 @@ void CommunicatorClass::mainloop(void) + if (extraSlaveRefresh) + slaveRefresh(&P); + } +- else { ++ else { ++ // eat up extra posts to avoid busy looping if many posts were done ++ while (d_any_sem.tryWait() == 0) { ++ } + break; // something happened + } + // this gets executed at least once every second diff -Nru pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc --- pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc 1970-01-01 00:00:00.000000000 +0000 +++ pdns-4.1.6/debian/patches/CVE-2019-10163-4.1.8-busyloop.patch.asc 2019-06-21 19:07:07.000000000 +0000 @@ -0,0 +1,12 @@ +-----BEGIN PGP SIGNATURE----- + +iQFOBAABCgA4FiEE1jAMq8v0abvjkuUDogjtT4r1hEYFAl0I6mcaHHJlbWkuZ2Fj +b2duZUBwb3dlcmRucy5jb20ACgkQogjtT4r1hEZbcQf/XTC6bDxmwt4tEXXN6hXQ ++ArS6zRED2pbxCAipxvHtbj9xqhk343aNfrG4Y8kl32AmJuP76yGfNrFeiNtPWgA +3zcuLxuyaCs/M7zMOtuYxcz6IhHBfZPZ+MixWSeJqsD5zV9kQT7LjvJR7ZeO87R5 +CBTz6vX4WzH0FW7aQnt3paYc0Rxn8H1LJQ8ytQCIch1kc2Xbn+qcW9velwP/hTPu +iCgEHx4ntaQj4ohS2Ntd0CQa3NMKUyI17FybLfebUyNywWnh8NVU4hevgGOG3pCu +oE7qe8+kms49hQiQPEGf5rst+MjVOrGwkiX7ydsT4udfHsH+F2Xb/qU1Tn20UjV4 +Bg== +=bJOa +-----END PGP SIGNATURE----- diff -Nru pdns-4.1.6/debian/patches/series pdns-4.1.6/debian/patches/series --- pdns-4.1.6/debian/patches/series 2019-03-31 12:48:59.000000000 +0000 +++ pdns-4.1.6/debian/patches/series 2019-06-21 19:07:07.000000000 +0000 @@ -1 +1,3 @@ CVE-2019-3871-auth-4.1.6.patch +CVE-2019-10162-4.1.8-invalidrecords.patch +CVE-2019-10163-4.1.8-busyloop.patch
--- End Message ---
--- Begin Message ---
- To: Chris Hofstaedtler <zeha@debian.org>, 930875-done@bugs.debian.org
- Subject: Re: Bug#930875: unblock: pdns/4.1.6-3
- From: Paul Gevers <elbrus@debian.org>
- Date: Sat, 22 Jun 2019 20:39:49 +0200
- Message-id: <a4fce076-47cd-55d8-8ed8-afd267a0dbc7@debian.org>
- In-reply-to: <[🔎] 156114651024.5502.4114498686541612528.reportbug@percival.namespace.at>
- References: <[🔎] 156114651024.5502.4114498686541612528.reportbug@percival.namespace.at>
Hi Chris, On 21-06-2019 21:48, Chris Hofstaedtler wrote: > unblock pdns/4.1.6-3 Unblocked, thanks. PaulAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---