Bug#863277: systemd: CVE-2017-9217: systemd-resolved crashed with SIGSEGV in dns_packet_is_reply_for()
Salvatore Bonaccorso
carnil at debian.org
Wed May 24 19:27:22 BST 2017
Source: systemd
Version: 232-23
Severity: important
Tags: patch upstream security
Forwarded: https://github.com/systemd/systemd/pull/5998
Hi,
the following vulnerability was published for systemd.
CVE-2017-9217[0]:
| systemd-resolved through 233 allows remote attackers to cause a denial
| of service (daemon crash) via a crafted DNS response with an empty
| question section.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9217
[1] https://github.com/systemd/systemd/pull/5998
[2] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396
[3] https://bugzilla.novell.com/show_bug.cgi?id=1040614
Please adjust the affected versions in the BTS as needed. I think the
version in jessie should not be affected; unless I'm wrong (and then
please correct me) the resolved: DNS client stub resolver was only
introduced post v216, and the issue maybe even later (post v219). But
would be greatly appreciated if you can confirm that.
Regards,
Salvatore
More information about the Pkg-systemd-maintainers
mailing list