From 564e2f78daf0d3d003cbc9f9a0745b9f961d25e67ea05e10c290c62272d367d1 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Wed, 24 Sep 2008 12:58:43 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/adns?expand=0&rev=4 --- README.SUSE | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++ adns.changes | 6 ++++++ adns.spec | 20 +++++++++++++++++--- 3 files changed, 76 insertions(+), 3 deletions(-) create mode 100644 README.SUSE diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..35422b1 --- /dev/null +++ b/README.SUSE @@ -0,0 +1,53 @@ +ADNS + +From the Homepage: + +Advanced, easy to use, asynchronous-capable DNS client library and utilities. +adns is a resolver library for C (and C++) programs, and a collection of useful +DNS resolver utilities. + +I'm (Ian) afraid there is no manual yet. However, competent C programmers should +be able to use the library based on the commented adns.h header file, and +the usage messages for the programs should be sufficient. + +adns also comes with a number of utility programs for use from the command +line and in scripts: + + * adnslogres is a much faster version of Apache's logresolv program. + + * adnsresfilter is a filter which copies its input to its output, + replacing IP addresses by the corresponding names, without unduly + delaying the output. For example, you can usefully pipe the + output of netstat -n, tcpdump -ln, and the like, into it. + + * adnshost is a general-purpose DNS lookup utility which can be used easily + in from the command line and from shell scripts to do simple lookups. + In a more advanced mode it can be used as a general-purpose DNS helper + program for scripting languages which can invoke and communicate with + subprocesses. See the adnshost usage message for a summary of its capabilities. + +From the INSTALL file: + + SECURITY AND PERFORMANCE - AN IMPORTANT NOTE + + adns is not a `full-service resolver': it does no caching of responses + at all, and has no defence against bad nameservers or fake packets + which appear to come from your real nameservers. It relies on the + full-service resolvers listed in resolv.conf to handle these tasks. + + For secure and reasonable operation you MUST run a full-service + nameserver on the same system as your adns applications, or on the + same local, fully trusted network. You MUST only list such + nameservers in the adns configuration (eg resolv.conf). + + You MUST use a firewall or other means to block packets which appear + to come from these nameservers, but which were actually sent by other, + untrusted, entities. + + Furthermore, adns is not DNSSEC-aware in this version; it doesn't + understand even how to ask a DNSSEC-aware nameserver to perform the + DNSSEC cryptographic signature checking. + +In particular, adns does not randomize the query source port or transaction ID; +relevant advisories are CVE-2008-1447 and CVE-2008-4100. Since adns is a stub +resolver, the workarounds listed in DSA-1605-1 for glibc also apply to adns. diff --git a/adns.changes b/adns.changes index 06875ca..71ae23b 100644 --- a/adns.changes +++ b/adns.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Sep 18 10:40:36 CEST 2008 - prusnak@suse.cz + +- document CVE-2008-1447 / CVE-2008-4100 poisoning vulnerability + in README.SUSE [bnc#426515] + ------------------------------------------------------------------- Wed Feb 20 17:08:29 CET 2008 - prusnak@suse.cz diff --git a/adns.spec b/adns.spec index 37d404a..7f4b15a 100644 --- a/adns.spec +++ b/adns.spec @@ -2,9 +2,16 @@ # spec file for package adns (Version 1.4) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. -# This file and all modifications and additions to the pristine -# package are under the same license as the package itself. # +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + # Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -13,13 +20,14 @@ Name: adns Version: 1.4 -Release: 31 +Release: 73 License: GPL v2 or later Group: Productivity/Networking/DNS/Utilities Url: http://www.chiark.greenend.org.uk/~ian/adns/ AutoReqProv: on Summary: Advanced Easy-to-Use Asynchronous-Capable DNS Utilities Source: %{name}-%{version}.tar.bz2 +Source1: README.SUSE Patch0: %{name}-%{version}-destdir.patch Patch1: %{name}-%{version}-configure.patch Patch2: %{name}-%{version}-ipv6.patch @@ -35,6 +43,7 @@ Authors: Ian Jackson %package -n libadns1 +License: GPL v2 or later Summary: Advanced DNS resolver client library Group: System/Libraries Provides: libadns = %{version} @@ -52,6 +61,7 @@ Authors: Ian Jackson %package -n libadns-devel +License: GPL v2 or later Summary: Libraries and header files to develop programs with libadns support Group: Development/Languages/C and C++ Requires: libadns1 = %{version} glibc-devel @@ -71,6 +81,7 @@ Authors: %patch0 %patch1 %patch2 +cp %{S:1} . %build autoreconf -fi @@ -108,6 +119,9 @@ rm -rf %{buildroot} %postun -n libadns1 -p /sbin/ldconfig %changelog +* Thu Sep 18 2008 prusnak@suse.cz +- document CVE-2008-1447 / CVE-2008-4100 poisoning vulnerability + in README.SUSE [bnc#426515] * Wed Feb 20 2008 prusnak@suse.cz - added patch to support IPv6 protocol [#350506] * Tue Aug 07 2007 crrodriguez@suse.de