Debian Bug report logs - #189659
Please remove dnrd

Package: ftp.debian.org; Maintainer for ftp.debian.org is Debian FTP Master <ftpmaster@ftp-master.debian.org>;

Reported by: Thomas Schoepf <schoepf@debian.org>

Date: Sat, 19 Apr 2003 10:48:01 UTC

Severity: normal

Done: Debian Archive Maintenance <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, wnpp@packages.qa.debian.org:
Bug#189659; Package wnpp. (full text, mbox, link).

Acknowledgement sent to Thomas Schoepf <schoepf@debian.org>:
New Bug report received and forwarded. Copy sent to wnpp@debian.org, wnpp@packages.qa.debian.org. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thomas Schoepf <schoepf@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: O: dnrd
Date: Sat, 19 Apr 2003 12:35:29 +0200
Package: wnpp
Version: unavailable; reported 2003-04-19
Severity: normal

 The Domain Name Relay Daemon (DNRD) is a simple "proxy" nameserver.
 It is meant to be used for home networks that can connect to the
 internet using one of several ISPs.
 .
 DNRD can be setup to forward all DNS queries to the appropriate DNS
 server for each of your ISPs.
 .
 SECURITY NOTE: dnrd is susceptible to buffer overflow attacks.
 However, by default dnrd changes to the "nobody" user. It also does
 a chroot to the /etc/dnrd directory, after checking that /etc/dnrd
 exists and contains no subdirectories and no executables and is only
 writable by root.

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, wnpp@debian.org, wnpp@packages.qa.debian.org:
Bug#189659; Package wnpp. (full text, mbox, link).

Acknowledgement sent to Anibal Monsalve Salazar <A.Monsalve.Salazar@IEEE.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org, wnpp@debian.org, wnpp@packages.qa.debian.org. (full text, mbox, link).

Message #10 received at 189659@bugs.debian.org (full text, mbox, reply):

From: Anibal Monsalve Salazar <A.Monsalve.Salazar@IEEE.org>
To: Debian Bug Tracking System <189659@bugs.debian.org>
Subject: will adopt dnrd
Date: Thu, 24 Apr 2003 22:30:06 +1000
Package: wnpp
Version: unavailable; reported 2003-04-24
Followup-For: Bug #189659

* Package name    : dnrd
  Version         : 2.10-8
  Upstream Author : Brad Garcia <garsh@attbi.com>
* URL             : http://users.zoominternet.net/~garsh/dnrd/
* License         : GPL
  Description     : Proxy DNS daemon

The Domain Name Relay Daemon (DNRD) is a simple "proxy" nameserver.
It is meant to be used for home networks that can connect to the
internet using one of several ISPs.

DNRD can be setup to forward all DNS queries to the appropriate DNS
server for each of your ISPs.

SECURITY NOTE: dnrd is susceptible to buffer overflow attacks.
However, by default dnrd changes to the "nobody" user. It also does
a chroot to the /etc/dnrd directory, after checking that /etc/dnrd
exists and contains no subdirectories and no executables and is only
writable by root.

Homepage: http://users.zoominternet.net/~garsh/dnrd/

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux caribe 2.4.20 #8 Fri Dec 6 14:19:52 EST 2002 i586
Locale: LANG=C, LC_CTYPE=C

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, wnpp@packages.qa.debian.org:
Bug#189659; Package wnpp. (full text, mbox, link).

Acknowledgement sent to Brian May <bam@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, wnpp@packages.qa.debian.org. (full text, mbox, link).

Message #15 received at 189659@bugs.debian.org (full text, mbox, reply):

From: Brian May <bam@debian.org>
To: Anibal Monsalve Salazar <A.Monsalve.Salazar@IEEE.org>, 189659@bugs.debian.org
Subject: Re: Bug#189659: will adopt dnrd
Date: Sat, 26 Apr 2003 18:27:10 +1000
On Thu, Apr 24, 2003 at 10:30:06PM +1000, Anibal Monsalve Salazar wrote:
> SECURITY NOTE: dnrd is susceptible to buffer overflow attacks.
> However, by default dnrd changes to the "nobody" user. It also does
> a chroot to the /etc/dnrd directory, after checking that /etc/dnrd
> exists and contains no subdirectories and no executables and is only
> writable by root.

Using the nobody as a work around for possible security holes seems a
really bad idea.

At the very least, please consider using another user ID, as other
programs might be using the nobody user. If one program is compromised,
the rest will also become compromised if they are sharing the one user.

Also, even using a non-root, non-shared user id is not going to prevent
an attacker doing damage via a buggy daemon, non-root users can do bad
things too. eg. DOS attacks (ulimits should help here), attack computers
on private/firewalled networks, etc.
-- 
Brian May <bam@debian.org>

Changed Bug title. Request was from Martin Michlmayr <tbm@cyrius.com> to control@bugs.debian.org. (full text, mbox, link).

Bug reassigned from package `wnpp' to `ftp.debian.org'. Request was from Martin Michlmayr <tbm@cyrius.com> to control@bugs.debian.org. (full text, mbox, link).

Reply sent to Debian Archive Maintenance <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Thomas Schoepf <schoepf@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).

Message #24 received at 189659-close@bugs.debian.org (full text, mbox, reply):

From: Debian Archive Maintenance <ftpmaster@ftp-master.debian.org>
To: 189659-close@bugs.debian.org
Subject: Bug#189659: fixed
Date: Sun, 11 May 2003 12:42:02 -0400
We believe that the bug you reported is now fixed; the following
package(s) have been removed from unstable:

      dnrd |     2.10-5 | ia64
      dnrd |     2.10-7 | source, alpha, arm, hppa, i386, m68k, mips, mipsel, powerpc, s390, sparc

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive (ftp-master.debian.org) and will not propagate to any
mirrors (ftp.debian.org included) until the next cron.daily run at the
earliest.

Packages are never removed from testing by hand.  Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems.

Bugs which have been reported against this package are not automatically
removed from the Bug Tracking System.  Please check all open bugs and
close them or re-assign them to another package if the removed package
was superseded by another one.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 189659@bugs.debian.org.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
James Troup (the ftpmaster behind the curtain)

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 16 00:42:02 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.