|
|
I pushed my version of the fix for #490217 into Sid just before the freeze.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490217
python-dns vulnerable to CVE-2008-1447 DNS source port guessable
Upstream has released their version of the fix in version 2.3.2 and I think
it's better and would like to see it included in Lenny if possible.
Specifically they used a while loop instead of recursion when trying to bind
to a new socket so it can't go on too long (very low probability) and also
they caught that you don't want to close the socket if the async option is in
use (AFAIK, no packages in Debian use this, but there appear to be unpackaged
users of this module based on popcon).
The functional changes not related to #490217 are 9 lines of code and present
very minimal risk (if they were wrong, the package just wouldn't work right
away - there isn't a risk of a subtle problem that emerges later)
Additionally, #492996 was reported today with a patch. It's not an RC bug,
but the fix is very small and it's helpfull for IPv4/v6 interoperability.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492996
python-dns: Should safely ignore IPv6 "nameserver" entries in resolv.conf as
long as queyring those is not supported
I've tested the proposed fix for #492996 on an IPv6 connected server that has
and IPv6 address in resolv.conf and it works. Additionally, upstream has
reviewed the patch and agrees with it (as an interim - they are planning on
proper IPv6 support in the next release).
Additionally, I have my draft package running successfully on one of my
servers now.
I would like to get this into Lenny. If the freeze exception is approved,
I'll upload to Sid so it can be properly aged. If it's not, I'll upload to
experimental.
Debdiff aimed at Lenny attached.
Thank you,
Scott Kittterman
lenny.debdiff
Description: Text Data
|
|