Debian alert DLA-3457-1 (maradns)
| From: | Bastien Roucaries <rouca@debian.org> | |
| To: | <debian-lts-announce@lists.debian.org> | |
| Subject: | [SECURITY] [DLA 3457-1] maradns security update | |
| Date: | Mon, 19 Jun 2023 11:15:27 +0000 | |
| Message-ID: | <ffc378075a5d1bc16f3c21cf3b7b1bfa.rouca@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3457-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Bastien Roucariès June 19, 2023 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : maradns Version : 2.0.13-1.2+deb10u1 CVE ID : CVE-2022-30256 CVE-2023-31137 Debian Bug : 1033252 1035936 MaraDNS is a small and lightweight cross-platform open-source DNS server. CVE-2022-30256 A revoked domain name (so called "Ghost" domain name) can still be resolvable for a long time by staying in the cache longer than max_ttl allows. "Ghost" domain names includes expired domains and taken-down malicious domains. CVE-2023-31137 The authoritative server in MaraDNS had an issue where it is possible to remotely terminate the MaraDNS process with a specialy crafted packet (so called "packet of death"). For Debian 10 buster, these problems have been fixed in version 2.0.13-1.2+deb10u1. We recommend that you upgrade your maradns packages. For the detailed security status of maradns please refer to its security tracker page at: https://security-tracker.debian.org/tracker/maradns Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmSQOM8ACgkQADoaLapB CF8l8A/+JIy73RPqTaVKf5wm2rbzsagJ/Ab0O+E6oXUUwYePgXGMlAuV2GWYwBbp aGw2simemXupzSNjq3AYHZmZEkSYcat28dKxLB7D/0n2f+vyw3mM2La7DVCbLmOE ew1mCgYX085bzrxeB6ubQQk0Sz9yl8dUVrarDOan9UOrHVpwiA2qId18Y2w5aH85 xq2Iw/m2eEb0QsQ5L1vDow/nD+dyt4Ia1N2f62wpd6mIdQcH0MQtfCHWFSliFf/2 SLPrPFVqXigznT/K+EoBhiznNN03JMHAmjKmih3juwe5aQQsalHAHrR7B+HVu/Zl VQ0TspJ5yGPVpmL9oz75NjaMEYpJaj32hXVSzfSZp9GMr/HlF3z7TXqzt56pOOHa IMmivDGJV6nSndAUfaUaQ/hvJmgbAWrqB165pw1Yp/coQ9Pwa+A4W4aN0Y5JdUYZ d9kv5oHG3vp7IN7cKglLgDSara6osDt7sn7mL6b4psBWXKlHVa4PD9j7azL5e0Si 1HL5XY1jF5EXv4pSeuQXtWP79BOXVWzarcrHjuj7N8fycu8p2SpY4DB6PhAUl4fI 5RHrKfMgbkKgZhFWxaWe9XaQHfH5/S5CitxJkpZeHSWaAOhtgz2zYz7/Ru9sRlz8 akH1+N3dmeoFSZDOc7lLE2WO5V2S5Rf6FrX3m5t6D0mZMxQwtgc= =NM3Q -----END PGP SIGNATURE-----