Re: Bug#653838: Inadequate source of entropy in recursive queries: maradns
I think I have got a handle on what is going on here:
http://samiam.org/blog/20111229.html
experimental [CVE-2011-5056]: This only affects the authoritative
server. In previous versions this would be the same issue as the other
CVS tickets because then the authoritative and recursive servers were
one process. There has never been an issue in this release for the
recursive process. However this is not going to be fixed until upstream
release a new version.
unstable/testing [CVE-2012-0024, CVE-2011-5055]: This was fixed in
1.4.09-1 but Sam has issued one further release, 1.4.10 with a last
tweak. For this version all the three CVE tickets are fundamentally the
same issue.
stable [CVE-2012-0024, CVE-2011-5055]: I previously sent a debdiff. I
need to issue a new one.
oldstable [CVE-2012-0024, CVE-2011-5055, CVE-2010-2444]: I have not
looked at this yet. Chances to fix CVE-2010-2444 were passed up before I
became maintainer.
I am not sure what to do now apart from issuing 1.4.10-1. Do I raise new
bug reports?
On 14/01/12 12:18, Julien Cristau wrote:
> On Thu, Jan 12, 2012 at 22:55:10 +0000, Nicholas Bamber wrote:
>
>> Julien,
>> Comments below. What is the next step?
>>
> On http://security-tracker.debian.org/tracker/source-package/maradns I
> see three issues: CVE-2011-5055, CVE-2011-5056 and CVE-2012-0024. Which
> one is this fixing, and what's the status of the 2011-505* ones in
> unstable? They're listed as unfixed in the tracker.
>
> Cheers,
> Julien
--
Nicholas Bamber | http://www.periapt.co.uk/
PGP key 3BFFE73C from pgp.mit.edu
Reply to: