Bug 1485

Summary: bind9 vulnerabilities
Product: Mageia Reporter: Jérôme Soyer <saispo>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, lists.jjorge, pterjan, stewbintn, tmb
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: bind-9.8.0-6.P1.mga1.src.rpm CVE:
Status comment:

Description Jérôme Soyer 2011-05-30 18:07:44 CEST 
Summary:

An attacker could send crafted input to Bind and cause it to crash.

Software Description:
- bind9: Internet Domain Name Server

Details:

It was discovered that Bind incorrectly handled certain bad signatures if
multiple trust anchors existed for a single zone. A remote attacker could
use this flaw to cause Bind to stop responding, resulting in a denial of
service. This issue only affected Ubuntu 8.04 LTS and 10.04 LTS.
(CVE-2010-3762)

Frank Kloeker and Michael Sinatra discovered that Bind incorrectly handled
certain very large RRSIG RRsets included in negative responses. A remote
attacker could use this flaw to cause Bind to stop responding, resulting in
a denial of service. (CVE-2011-1910)

Update instructions:

The problem can be corrected by updating your system.
Comment 1 Pascal Terjan 2011-06-07 11:32:45 CEST 
Partially duplicate of bug #1451

CC: (none) => pterjan

Comment 2 Nicolas Vigier 2011-07-05 21:03:40 CEST 
Other security fixes from version 9.8.0-P4 :
ftp://ftp.isc.org/isc/bind/9.8.0-P4/RELEASE-NOTES-BIND-9.8.0-P4.html

CC: (none) => boklm

Comment 3 Nicolas Vigier 2011-07-05 21:14:55 CEST 
Bind package updated to version 9.8.0-P4 has been submitted to updates_testing.

Assignee: bugsquad => qa-bugs

Comment 4 Nicolas Vigier 2011-07-05 21:16:21 CEST 
*** Bug 1451 has been marked as a duplicate of this bug. ***

CC: (none) => tmb

Comment 5 Dave Hodgins 2011-07-06 00:54:23 CEST 
The packages involved are
bind-devel
bind
bind-doc
bind-utils
The srpm is bind-9.8.0-6.P4.mga1.src.rpm

I've installed the packages on my i586 system.  For the doc and devel packages,
I'm simply confirming that they install without any conflicts.

For the bind and bind-utils package, I ran "service named restart",
and some dig/host/nslookup commands, and am currently using
nameserver 127.0.0.1
as the first line in /etc/resolv.conf.

I don't see a poc test for the security updates, so I'm not trying to
test those.

Testing complete on i586.

CC: (none) => davidwhodgins

Comment 6 José Jorge 2011-07-06 19:05:41 CEST 
tested bind-utils on x86_64, works for me with a nslookup.

CC: (none) => lists.jjorge

Comment 7 Dave Hodgins 2011-07-07 02:00:31 CEST 
Can someone from the sysadmin team push the packages
bind-devel
bind
bind-doc
bind-utils
from Core Updates Testing to Core Updates please.
The srpm is bind-9.8.0-6.P4.mga1.src.rpm
Comment 8 Stew Benedict 2011-07-07 13:22:49 CEST 
If the "other security fixes" from comment 2 went in, we should mention CVE-2011-2464 in the advisory text:

It was discovered that BIND, a DNS server, does not correctly process
certain UPDATE requests, resulting in a server crash and a denial of
service.  This vulnerability affects BIND installations even if they
do not actually use dynamic DNS updates (CVE-2011-2464).

CC: (none) => stewbintn

Comment 9 Pascal Terjan 2011-07-07 13:40:05 CEST 
I have seen on the internet an exploit for CVE-2011-2464 (and not tested it). I can't make this comment private but can send it to interested people who don't have it.
Comment 10 Nicolas Vigier 2011-07-07 13:42:40 CEST 
Yes, I think we should mention all updates since P1 :
ftp://ftp.isc.org/isc/bind/9.8.0-P2/RELEASE-NOTES-BIND-9.8.0-P2.html
ftp://ftp.isc.org/isc/bind/9.8.0-P4/RELEASE-NOTES-BIND-9.8.0-P4.html

So advisory could be something like this :

This update fix several security issues in bind :
- Using Response Policy Zone (RPZ) with DNAME records and querying the subdomain of that label can cause named to crash. Now logs that DNAME is not supported. [ISC RT #24766]
- If named is configured to be both authoritative and resursive and receives a recursive query for a CNAME in a zone that it is authoritative for, if that CNAME also points to a zone the server is authoritative for, the recursive part of name will not follow the CNAME change and the response will not be a complete CNAME chain. [ISC RT #24455]
- Using Response Policy Zone (RPZ) to query a wildcard CNAME label with QUERY type SIG/RRSIG, it can cause named to crash. Fix is query type independant. [ISC RT #24715] [CVE-2011-1907]
- Change #2912 (see CHANGES) exposed a latent bug in the DNS message processing code that could allow certain UPDATE requests to crash named. This was fixed by disambiguating internal database representation vs DNS wire format data. [ISC RT #24777] [CVE-2011-2464]
- A large RRSET from a remote authoritative server that results in the recursive resolver trying to negatively cache the response can hit an off by one code error in named, resulting in named crashing. [ISC RT #24650] [CVE-2011-1910]
- Zones that have a DS record in the parent zone but are also listed in a DLV and won't validate without DLV could fail to validate. [ISC RT #24631]
Comment 11 Dave Hodgins 2011-07-14 04:11:19 CEST 
Can someone from the sysadmin team push the packages
bind-devel
bind
bind-doc
bind-utils
from Core Updates Testing to Core Updates please.
The srpm is bind-9.8.0-6.P4.mga1.src.rpm

See comment 10 for the advisory.
Comment 12 Nicolas Vigier 2011-07-14 11:26:02 CEST 
pushed to updates.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:05:46 CEST

CC: boklm => (none)