bind: issue in trust anchor management can cause named to crash (CVE-2015-1349)

bind: issue in trust anchor management can cause named to crash (CVE-2015-1349)

[Sona Sarmadi]

Affects version 9.7.0 - 9.10.1-P1. In master we use bind 9.9.5.


// Sona 

Re: bind: issue in trust anchor management can cause named to crash (CVE-2015-1349)

[Alexandru Vaduva]

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

Wouldn`t it be better for the bugs to be only mentioned on the security list?It is my opinion that know about a risk before it is fixed could cause more harm then good.What do you thing about this?

Alex Vaduva
 

     On Wednesday, March 11, 2015 10:06 AM, Sona Sarmadi <sona.sarmadi@enea.com> wrote:
   

 Affects version 9.7.0 - 9.10.1-P1. In master we use bind 9.9.5.


// Sona 
-- 
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto


    

[-- Attachment #2: Type: text/html, Size: 1768 bytes --]

Re: bind: issue in trust anchor management can cause named to crash (CVE-2015-1349)

[Sona Sarmadi]

[-- Attachment #1: Type: text/plain, Size: 1192 bytes --]

Hi Alex,

Yes I agree with you but this is already a public CVE. Maybe in the future we will/should just discuss security related issues in the yocto-security@yoctoproject.org<mailto:yocto-security@yoctoproject.org> mailing list, but right now we don’t have many members so I copy to the yocto@yoctoproject.org<mailto:yocto@yoctoproject.org> list as well.

My intention is to make the list aware of security vulnerabilities/CVEs which keep coming all the time. I encourage everyone to do this. We will soon or later create a bug in Bugzilla if needed or just backport the CVE to our version or upgrade the recipes in the affected package to the version which is not vulnerable.

//Sona

From: Alexandru Vaduva [mailto:vaduvajanalexandru@yahoo.com]
Sent: den 12 mars 2015 00:28
To: Sona Sarmadi; yocto-security@yoctoproject.org
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] bind: issue in trust anchor management can cause named to crash (CVE-2015-1349)

Wouldn`t it be better for the bugs to be only mentioned on the security list?
It is my opinion that know about a risk before it is fixed could cause more harm then good.
What do you thing about this?


Alex Vaduva

[-- Attachment #2: Type: text/html, Size: 5724 bytes --]

Re: bind: issue in trust anchor management can cause named to crash (CVE-2015-1349)

[Benjamin Esquivel]

On Thu, 2015-03-12 at 07:35 +0000, Sona Sarmadi wrote:
> Hi Alex,
> 
>  
> 
> Yes I agree with you but this is already a public CVE. Maybe in the
> future we will/should just discuss security related issues in the
> yocto-security@yoctoproject.org mailing list, but right now we don’t
> have many members so I copy to the yocto@yoctoproject.org list as
> well. 
> 
I think this list is not published in the yocto lists page:

https://www.yoctoproject.org/tools-resources/community/mailing-lists

And, who would be able to subscribe to it? invite-only? public?
 
>  
> 
> My intention is to make the list aware of security
> vulnerabilities/CVEs which keep coming all the time. I encourage
> everyone to do this. We will soon or later create a bug in Bugzilla if
> needed or just backport the CVE to our version or upgrade the recipes
> in the affected package to the version which is not vulnerable.
> 
>  
> 
> //Sona
> 
>  
> 
> From: Alexandru Vaduva [mailto:vaduvajanalexandru@yahoo.com] 
> Sent: den 12 mars 2015 00:28
> To: Sona Sarmadi; yocto-security@yoctoproject.org
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] bind: issue in trust anchor management can cause
> named to crash (CVE-2015-1349)
> 
> 
>  
> 
> Wouldn`t it be better for the bugs to be only mentioned on the
> security list?
> 
> 
> It is my opinion that know about a risk before it is fixed could cause
> more harm then good.
> 
> 
> What do you thing about this?
> 
> 
>  
> 
> 
>  
> 
> 
> Alex Vaduva
> 
> 

Re: bind: issue in trust anchor management can cause named to crash (CVE-2015-1349)

[Sona Sarmadi]

Hi Benjamin,

> I think this list is not published in the yocto lists page:
> https://www.yoctoproject.org/tools-resources/community/mailing-lists
> And, who would be able to subscribe to it? invite-only? public?

This mailing list is an open list to discuss security related activities (mainly for those who contributes the Yocto Project with security updates/patches etc).  We have some info about this list at https://wiki.yoctoproject.org/wiki/Security page, we should add this mailing list to https://www.yoctoproject.org/tools-resources/community/mailing-lists as well.

Thank you for addressing this.

//Sona