Debian Bug report logs - #457445
libnet-dns-perl: CVE-2007-6341 possible remote denial of service vulnerability

version graph

Package: libnet-dns-perl; Maintainer for libnet-dns-perl is Florian Roscher <fh@debian.org>; Source for libnet-dns-perl is src:libnet-dns-perl.

Reported by: Nico Golde <nion@debian.org>

Date: Sat, 22 Dec 2007 13:30:01 UTC

Severity: grave

Tags: security

Fixed in versions libnet-dns-perl/0.63-1, libnet-dns-perl/0.48-1sarge1, libnet-dns-perl/0.59-1etch1

Done: Florian Weimer <fw@deneb.enyo.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Florian Hinzmann <fh@debian.org>:
Bug#457445; Package libnet-dns-perl. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Florian Hinzmann <fh@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: libnet-dns-perl: CVE-2007-6341 possible remote denial of service vulnerability
Date: Sat, 22 Dec 2007 14:13:00 +0100
[Message part 1 (text/plain, inline)]
Package: libnet-dns-perl
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libnet-dns-perl.

CVE-2007-6341[0]:
| Net/DNS/RR/A.pm in Net::DNS 0.60 build 654, as used in packages such
| as SpamAssassin and OTRS, allows remote attackers to cause a denial of
| service (program "croak") via a crafted DNS response.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6341

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Florian Hinzmann <fh@debian.org>:
Bug#457445; Package libnet-dns-perl. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Florian Hinzmann <fh@debian.org>. Full text and rfc822 format available.

Message #10 received at 457445@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 457445@bugs.debian.org
Subject: Re: libnet-dns-perl: CVE-2007-6341 possible remote denial of service vulnerability
Date: Tue, 15 Jan 2008 13:15:24 +0100
[Message part 1 (text/plain, inline)]
Hi,
what about this patch?
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[CVE-2007-6341.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Florian Hinzmann <fh@debian.org>:
Bug#457445; Package libnet-dns-perl. Full text and rfc822 format available.

Acknowledgement sent to Florian Hinzmann <f.hinzmann@hamburg.de>:
Extra info received and forwarded to list. Copy sent to Florian Hinzmann <fh@debian.org>. Full text and rfc822 format available.

Message #15 received at 457445@bugs.debian.org (full text, mbox):

From: Florian Hinzmann <f.hinzmann@hamburg.de>
To: Nico Golde <nion@debian.org>, 457445@bugs.debian.org
Subject: Re: Bug#457445: libnet-dns-perl: CVE-2007-6341 possible remote denial of service vulnerability
Date: Wed, 23 Jan 2008 01:06:34 +0100
Hello!

On Tue, 15 Jan 2008 13:15:24 +0100
Nico Golde <nion@debian.org> wrote:

> Hi,
> what about this patch?

I am not sure yet. I will investigate more deeply within the 
next days. I did contact the author of Net::DNS already.

 Regards
   Florian


-- 
  Florian Hinzmann                         private: f.hinzmann@hamburg.de
                                            Debian: fh@debian.org
PGP Key / ID: 1024D/B4071A65
Fingerprint : F9AB 00C1 3E3A 8125 DD3F  DF1C DF79 A374 B407 1A65




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#457445; Package libnet-dns-perl. Full text and rfc822 format available.

Acknowledgement sent to Florian Hinzmann <fh@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 457445@bugs.debian.org (full text, mbox):

From: Florian Hinzmann <fh@debian.org>
To: 457445@bugs.debian.org
Subject: Status update: Fix pending
Date: Mon, 28 Jan 2008 02:21:57 +0100
Hello!

Upstream is preparing an update. I will use that solution or coordinate
enhancements if need arises. It should be a matter of days.

 Regards
   Florian


-- 
  Florian Hinzmann                         private: f.hinzmann@hamburg.de
                                            Debian: fh@debian.org
PGP Key / ID: 1024D/B4071A65
Fingerprint : F9AB 00C1 3E3A 8125 DD3F  DF1C DF79 A374 B407 1A65




Information forwarded to debian-bugs-dist@lists.debian.org, Florian Hinzmann <fh@debian.org>:
Bug#457445; Package libnet-dns-perl. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Florian Hinzmann <fh@debian.org>. Full text and rfc822 format available.

Message #25 received at 457445@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 457445@bugs.debian.org
Subject: Re: libnet-dns-perl: CVE-2007-6341 possible remote denial of service vulnerability
Date: Sun, 3 Feb 2008 16:25:25 +0100
[Message part 1 (text/plain, inline)]
Hi,
any news on this?
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#457445; Package libnet-dns-perl. Full text and rfc822 format available.

Acknowledgement sent to Florian Hinzmann <fh@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #30 received at 457445@bugs.debian.org (full text, mbox):

From: Florian Hinzmann <fh@debian.org>
To: Nico Golde <nion@debian.org>, 457445@bugs.debian.org
Subject: Re: Bug#457445: libnet-dns-perl: CVE-2007-6341 possible remote denial of service vulnerability
Date: Fri, 8 Feb 2008 09:03:27 +0100
On Sun, 3 Feb 2008 16:25:25 +0100
Nico Golde <nion@debian.org> wrote:

> Hi,
> any news on this?

I was in contact with Olaf Kolkman and Dick Franks upstream. I planned
to upload something this weekend at the latest. It looks like Olaf will
beat me with an upstream release I can use.

 Regards
   Florian

-- 
  Florian Hinzmann                         private: f.hinzmann@hamburg.de
                                            Debian: fh@debian.org
PGP Key / ID: 1024D/B4071A65
Fingerprint : F9AB 00C1 3E3A 8125 DD3F  DF1C DF79 A374 B407 1A65




Reply sent to Florian Hinzmann <fh@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #35 received at 457445-close@bugs.debian.org (full text, mbox):

From: Florian Hinzmann <fh@debian.org>
To: 457445-close@bugs.debian.org
Subject: Bug#457445: fixed in libnet-dns-perl 0.63-1
Date: Fri, 15 Feb 2008 01:17:02 +0000
Source: libnet-dns-perl
Source-Version: 0.63-1

We believe that the bug you reported is fixed in the latest version of
libnet-dns-perl, which is due to be installed in the Debian FTP archive:

libnet-dns-perl_0.63-1.diff.gz
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.63-1.diff.gz
libnet-dns-perl_0.63-1.dsc
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.63-1.dsc
libnet-dns-perl_0.63-1_i386.deb
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.63-1_i386.deb
libnet-dns-perl_0.63.orig.tar.gz
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.63.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 457445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Hinzmann <fh@debian.org> (supplier of updated libnet-dns-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 15 Feb 2008 01:42:53 +0100
Source: libnet-dns-perl
Binary: libnet-dns-perl
Architecture: source i386
Version: 0.63-1
Distribution: unstable
Urgency: medium
Maintainer: Florian Hinzmann <fh@debian.org>
Changed-By: Florian Hinzmann <fh@debian.org>
Description: 
 libnet-dns-perl - Perform DNS queries from a Perl script
Closes: 457445 463531
Changes: 
 libnet-dns-perl (0.63-1) unstable; urgency=medium
 .
   * New upstream release, which fixes security issue
     CVE-2007-6341 (closes: bug#457445).
   * Do not try to delete /usr/share/perl5 while assembling package if
     it is not there. It is no longer there with MakeMaker from Perl 5.10.
     Thanks to Damyan Ivanov <dmn@debian.org> for report and fix
     (closes: bug#463531).
Files: 
 bd76eae41625a5551aeef3751df834bf 613 perl optional libnet-dns-perl_0.63-1.dsc
 c46aad24af44d424a972bb59c3aa5f37 149488 perl optional libnet-dns-perl_0.63.orig.tar.gz
 59b930f8ad95e70b7521f5ad7e92500c 6060 perl optional libnet-dns-perl_0.63-1.diff.gz
 ecdbbb0ab301dd3a69b42f80c64bfb9d 260916 perl optional libnet-dns-perl_0.63-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHtOLI33mjdLQHGmURAlOyAKCEVxEVK6D/vRLtZey4bNm8hzxSfACff6Mm
/+X8TQlIKRGIe2VK4xLY8gU=
=LHIM
-----END PGP SIGNATURE-----





Reply sent to Florian Weimer <fw@deneb.enyo.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #40 received at 457445-close@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 457445-close@bugs.debian.org
Subject: Bug#457445: fixed in libnet-dns-perl 0.48-1sarge1
Date: Fri, 21 Mar 2008 07:52:23 +0000
Source: libnet-dns-perl
Source-Version: 0.48-1sarge1

We believe that the bug you reported is fixed in the latest version of
libnet-dns-perl, which is due to be installed in the Debian FTP archive:

libnet-dns-perl_0.48-1sarge1.diff.gz
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1.diff.gz
libnet-dns-perl_0.48-1sarge1.dsc
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1.dsc
libnet-dns-perl_0.48-1sarge1_i386.deb
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 457445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated libnet-dns-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 07 Mar 2008 23:03:36 +0100
Source: libnet-dns-perl
Binary: libnet-dns-perl
Architecture: source i386
Version: 0.48-1sarge1
Distribution: oldstable-security
Urgency: high
Maintainer: Florian Hinzmann <fh@debian.org>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Description: 
 libnet-dns-perl - Perform DNS queries from a Perl script
Closes: 457445
Changes: 
 libnet-dns-perl (0.48-1sarge1) oldstable-security; urgency=high
 .
   * Malformed A records could lead to a Perl exception and program crash
     (CVE-2007-6341).  Closes: #457445.
   * A very weak random number generator was used for transaction IDs
     (CVE-2007-3377).
     Perl's rand() is used in the patch against this vulnerability--it is
     initialized from /dev/urandom, but the underlying LCG has only got 48
     bits of state, so at the very least, a brute-force attack is still
     possible if an attacker has got three subsequently generated
     transaction IDs.
   * The Perl implementation of dn_expand could recurse infinitely
     (CVE-2007-3409).  (On Debian systems, the C version is typically
     used.)
Files: 
 69ce0c55a0c3876faaee37e78c592ec8 916 perl optional libnet-dns-perl_0.48-1sarge1.dsc
 bd5bab1de250b947a3f00148d426f2e2 95754 perl optional libnet-dns-perl_0.48.orig.tar.gz
 72b2f73855eceafb316f7fde51bc474e 6853 perl optional libnet-dns-perl_0.48-1sarge1.diff.gz
 ee51c0d78f1482161f241fa9a37aba5a 217226 perl optional libnet-dns-perl_0.48-1sarge1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9HHAb97/wQC1SS+AQIewAgAsEUs3Dkw9KWRut/FE8Tnjzh342dl8ElO
tSVSYSlY2YxyIrN/qTDt2Ze5IXcaepJZanIIkVgVj/EUVb36aCelhjeMGY/mktkE
D4XR2AuU1v46bAhnnERmVOuSj0lQZ7KOLGWYKxUyh+GroUfIApvcQbBQ5abLfAj8
8G9FBJvZ2yODqbTwbaRV/wg3tS004BGKgmekA8Chs8RHcLlseRHnt2vTMAMriANW
+Gt4FB0zMg3Debxr/ST1bCheLlIqIbB8NihAHAQG4C2cUcwcPzQk2uwHHWraCTaV
Co0FT+7Vi+kf7jrQqM8loPK3zY8grAjlfVDBo2Ht+AA29XF3OX8prQ==
=n/Em
-----END PGP SIGNATURE-----





Reply sent to Florian Weimer <fw@deneb.enyo.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #45 received at 457445-close@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 457445-close@bugs.debian.org
Subject: Bug#457445: fixed in libnet-dns-perl 0.59-1etch1
Date: Fri, 21 Mar 2008 07:52:15 +0000
Source: libnet-dns-perl
Source-Version: 0.59-1etch1

We believe that the bug you reported is fixed in the latest version of
libnet-dns-perl, which is due to be installed in the Debian FTP archive:

libnet-dns-perl_0.59-1etch1.diff.gz
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1.diff.gz
libnet-dns-perl_0.59-1etch1.dsc
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1.dsc
libnet-dns-perl_0.59-1etch1_amd64.deb
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 457445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated libnet-dns-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 07 Mar 2008 22:17:33 +0100
Source: libnet-dns-perl
Binary: libnet-dns-perl
Architecture: source amd64
Version: 0.59-1etch1
Distribution: stable-security
Urgency: high
Maintainer: Florian Hinzmann <fh@debian.org>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Description: 
 libnet-dns-perl - Perform DNS queries from a Perl script
Closes: 457445
Changes: 
 libnet-dns-perl (0.59-1etch1) stable-security; urgency=high
 .
   * Malformed A records could lead to a Perl exception and program crash
     (CVE-2007-6341).  Closes: #457445.
   * A very weak random number generator was used for transaction IDs
     (CVE-2007-3377).
     Perl's rand() is used in the patch against this vulnerability--it is
     initialized from /dev/urandom, but the underlying LCG has only got 48
     bits of state, so at the very least, a brute-force attack is still
     possible if an attacker has got three subsequently generated
     transaction IDs.
   * The Perl implementation of dn_expand could recurse infinitely
     (CVE-2007-3409).  (On Debian systems, the C version is typically
     used.)
Files: 
 97a61f446273f49c42348334f5cc9ba8 915 perl optional libnet-dns-perl_0.59-1etch1.dsc
 d3408875f34e5fa0a313a4a21c70e832 137998 perl optional libnet-dns-perl_0.59.orig.tar.gz
 bfbdf3851e092853756b78e648b5af29 7584 perl optional libnet-dns-perl_0.59-1etch1.diff.gz
 ac599d5c037f6488e039887081d4d93b 252906 perl optional libnet-dns-perl_0.59-1etch1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9HHAb97/wQC1SS+AQKbNgf+MsUMd8TmleXs57Jnjmts57VThIfhcyWY
yYaHHPw/VXbO7bvA/Ts+Y4KeMbfpzsWB7PPXxhCLMbwsoUkwre7FaDuy5FJOUuBp
yCPItusH3krpKGnJTPB8sPCbIISk0bLFjairg3ybTKMoLQ2Ok3nv0nVbmwxXD6E3
rJHPHqfP6KmYt2imEocGZEI+chqdOKX4eYo5wv3b/HRJHyoDzW1HiREz2VJRAwE/
JD4XMcfotwCPRChU8nR1xAuiA5DPQWhgx2x+8v/eYve6CSe+yWJrgQ6s0xkf0CTX
oo4cE72rYmyPeXy88mjYx/v99p3ygRcT3473PPH4HLm3PDPxOuo7Uw==
=a+2f
-----END PGP SIGNATURE-----





Reply sent to Florian Weimer <fw@deneb.enyo.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #50 received at 457445-close@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 457445-close@bugs.debian.org
Subject: Bug#457445: fixed in libnet-dns-perl 0.48-1sarge1
Date: Sat, 12 Apr 2008 17:54:46 +0000
Source: libnet-dns-perl
Source-Version: 0.48-1sarge1

We believe that the bug you reported is fixed in the latest version of
libnet-dns-perl, which is due to be installed in the Debian FTP archive:

libnet-dns-perl_0.48-1sarge1.diff.gz
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1.diff.gz
libnet-dns-perl_0.48-1sarge1.dsc
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1.dsc
libnet-dns-perl_0.48-1sarge1_i386.deb
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.48-1sarge1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 457445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated libnet-dns-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 07 Mar 2008 23:03:36 +0100
Source: libnet-dns-perl
Binary: libnet-dns-perl
Architecture: source i386
Version: 0.48-1sarge1
Distribution: oldstable-security
Urgency: high
Maintainer: Florian Hinzmann <fh@debian.org>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Description: 
 libnet-dns-perl - Perform DNS queries from a Perl script
Closes: 457445
Changes: 
 libnet-dns-perl (0.48-1sarge1) oldstable-security; urgency=high
 .
   * Malformed A records could lead to a Perl exception and program crash
     (CVE-2007-6341).  Closes: #457445.
   * A very weak random number generator was used for transaction IDs
     (CVE-2007-3377).
     Perl's rand() is used in the patch against this vulnerability--it is
     initialized from /dev/urandom, but the underlying LCG has only got 48
     bits of state, so at the very least, a brute-force attack is still
     possible if an attacker has got three subsequently generated
     transaction IDs.
   * The Perl implementation of dn_expand could recurse infinitely
     (CVE-2007-3409).  (On Debian systems, the C version is typically
     used.)
Files: 
 69ce0c55a0c3876faaee37e78c592ec8 916 perl optional libnet-dns-perl_0.48-1sarge1.dsc
 bd5bab1de250b947a3f00148d426f2e2 95754 perl optional libnet-dns-perl_0.48.orig.tar.gz
 72b2f73855eceafb316f7fde51bc474e 6853 perl optional libnet-dns-perl_0.48-1sarge1.diff.gz
 ee51c0d78f1482161f241fa9a37aba5a 217226 perl optional libnet-dns-perl_0.48-1sarge1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9HHAb97/wQC1SS+AQIewAgAsEUs3Dkw9KWRut/FE8Tnjzh342dl8ElO
tSVSYSlY2YxyIrN/qTDt2Ze5IXcaepJZanIIkVgVj/EUVb36aCelhjeMGY/mktkE
D4XR2AuU1v46bAhnnERmVOuSj0lQZ7KOLGWYKxUyh+GroUfIApvcQbBQ5abLfAj8
8G9FBJvZ2yODqbTwbaRV/wg3tS004BGKgmekA8Chs8RHcLlseRHnt2vTMAMriANW
+Gt4FB0zMg3Debxr/ST1bCheLlIqIbB8NihAHAQG4C2cUcwcPzQk2uwHHWraCTaV
Co0FT+7Vi+kf7jrQqM8loPK3zY8grAjlfVDBo2Ht+AA29XF3OX8prQ==
=n/Em
-----END PGP SIGNATURE-----





Reply sent to Florian Weimer <fw@deneb.enyo.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #55 received at 457445-close@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 457445-close@bugs.debian.org
Subject: Bug#457445: fixed in libnet-dns-perl 0.59-1etch1
Date: Sat, 26 Jul 2008 09:40:48 +0000
Source: libnet-dns-perl
Source-Version: 0.59-1etch1

We believe that the bug you reported is fixed in the latest version of
libnet-dns-perl, which is due to be installed in the Debian FTP archive:

libnet-dns-perl_0.59-1etch1.diff.gz
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1.diff.gz
libnet-dns-perl_0.59-1etch1.dsc
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1.dsc
libnet-dns-perl_0.59-1etch1_amd64.deb
  to pool/main/libn/libnet-dns-perl/libnet-dns-perl_0.59-1etch1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 457445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated libnet-dns-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 07 Mar 2008 22:17:33 +0100
Source: libnet-dns-perl
Binary: libnet-dns-perl
Architecture: source amd64
Version: 0.59-1etch1
Distribution: stable-security
Urgency: high
Maintainer: Florian Hinzmann <fh@debian.org>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Description: 
 libnet-dns-perl - Perform DNS queries from a Perl script
Closes: 457445
Changes: 
 libnet-dns-perl (0.59-1etch1) stable-security; urgency=high
 .
   * Malformed A records could lead to a Perl exception and program crash
     (CVE-2007-6341).  Closes: #457445.
   * A very weak random number generator was used for transaction IDs
     (CVE-2007-3377).
     Perl's rand() is used in the patch against this vulnerability--it is
     initialized from /dev/urandom, but the underlying LCG has only got 48
     bits of state, so at the very least, a brute-force attack is still
     possible if an attacker has got three subsequently generated
     transaction IDs.
   * The Perl implementation of dn_expand could recurse infinitely
     (CVE-2007-3409).  (On Debian systems, the C version is typically
     used.)
Files: 
 97a61f446273f49c42348334f5cc9ba8 915 perl optional libnet-dns-perl_0.59-1etch1.dsc
 d3408875f34e5fa0a313a4a21c70e832 137998 perl optional libnet-dns-perl_0.59.orig.tar.gz
 bfbdf3851e092853756b78e648b5af29 7584 perl optional libnet-dns-perl_0.59-1etch1.diff.gz
 ac599d5c037f6488e039887081d4d93b 252906 perl optional libnet-dns-perl_0.59-1etch1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9HHAb97/wQC1SS+AQKbNgf+MsUMd8TmleXs57Jnjmts57VThIfhcyWY
yYaHHPw/VXbO7bvA/Ts+Y4KeMbfpzsWB7PPXxhCLMbwsoUkwre7FaDuy5FJOUuBp
yCPItusH3krpKGnJTPB8sPCbIISk0bLFjairg3ybTKMoLQ2Ok3nv0nVbmwxXD6E3
rJHPHqfP6KmYt2imEocGZEI+chqdOKX4eYo5wv3b/HRJHyoDzW1HiREz2VJRAwE/
JD4XMcfotwCPRChU8nR1xAuiA5DPQWhgx2x+8v/eYve6CSe+yWJrgQ6s0xkf0CTX
oo4cE72rYmyPeXy88mjYx/v99p3ygRcT3473PPH4HLm3PDPxOuo7Uw==
=a+2f
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Aug 2008 07:31:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:29:15 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.