Re: bind9: CVE-2018-5743

To: debian-security@lists.debian.org
Subject: Re: bind9: CVE-2018-5743
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Sun, 12 May 2019 17:20:36 -0300
Message-id: <[🔎] 20190512202036.2xzkfqm3xgubfxnl@khazad-dum.debian.net>
In-reply-to: <[🔎] CAObvaLkoqTVG5OdsArR94kmM2zg88r6LpVeMysj_euWYugH8ng@mail.gmail.com>
References: <[🔎] CAObvaLkoqTVG5OdsArR94kmM2zg88r6LpVeMysj_euWYugH8ng@mail.gmail.com>

On Thu, 09 May 2019, Markus Wollny wrote:
> Is there an ETA on the fix for this bind9 vulnerability to be
> available for Debian Stretch yet?

It is already available.

> https://security-tracker.debian.org/tracker/CVE-2018-5743 says that
> the stable branch is still vulnerable (fixed in buster/sid only), even
> though the Debian bug report
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927932 is already
> marked as closed.

Currently, it lists the issue as fixed in the *security* update archive
for stable (stretch-security).   This means the fix has been released to
stable (the current stable is "stretch").

You get timely security updates through the <stable>-security archive.

Packages move from <stable>-security to stable only on stable point
releases, which happen every 3-5 months, so that we can generate a new
set of install-from-CD/DVD/FLASH images that have up-to-date packages
and drain the -security archive, which is not as extensively mirrored as
the other archives.

Note that the installer will update all packages during the install
process and has the security archives enabled by default.

-- 
  Henrique Holschuh

Reply to:

References:
- bind9: CVE-2018-5743
  - From: Markus Wollny <markus.wollny@gmail.com>

Prev by Date: bind9: CVE-2018-5743
Next by Date: IBRS security cpu models not available in libvirt0 on debian stretch
Previous by thread: bind9: CVE-2018-5743
Next by thread: Re: bind9: CVE-2018-5743
Index(es):
- Date
- Thread