[MaraDNS list] MaraDNS 1.4.08 and MaraDNS 1.3.07.12 released
Nicholas Bamber
nicholas at periapt.co.uk
Fri Dec 30 18:45:44 EST 2011
Sam,
1.4.08-1 is in preparation whatever the bureaucracy. I have asked the
Debian security team what they want to do with the old releases.
On 30/12/11 21:17, Sam Trenholme wrote:
> In terms of issuing a Debian security update:
>
> MaraDNS 2 is not affected and does not need to be patched.
>
> I have a minimal patch fixing only this security issue:
>
> http://maradns.org/download/patches/maradns-1.3-secret_hash.patch
>
> The patch requires /dev/urnadom; Debian has this. [1]
>
> While there isn't a CVE for this issue in relation to MaraDNS, the
> problem is covered by CERT VU#903934 [2]
>
> - Sam
>
> [1] There really isn't much out there besides DOS and Windows that
> doesn't have /dev/urandom these days.
>
> [2] This will hopefully preclude Debian's bureaucratic hoop of needing
> a vulnerability number before patching MaraDNS
--
Nicholas Bamber | http://www.periapt.co.uk/
PGP key 3BFFE73C from pgp.mit.edu
More information about the list
mailing list