Bug 16324

Summary: bind new security issue CVE-2015-4620
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, neoser10, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/650519/
Whiteboard: MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA5-32-OK
Source RPM: bind-9.10.1.P2-2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-07-08 16:53:12 CEST 
Upstream has issued an advisory on July 7:
https://kb.isc.org/article/AA-01267

The issue is fixed in 9.9.7-P1 and 9.10.2-P2:
https://kb.isc.org/article/AA-01270
https://kb.isc.org/article/AA-01269

Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated bind packages fix security vulnerability:

A recursive resolver that is performing DNSSEC validation can be deliberately
terminated by any attacker who can cause a query to be performed against a
maliciously constructed zone.  This will result in a denial of service to
clients who rely on that resolver (CVE-2015-4620).

Note that DNSSEC validation is not enabled by default.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4620
https://kb.isc.org/article/AA-01267
https://kb.isc.org/article/AA-01270
https://kb.isc.org/article/AA-01269
========================

Updated packages in core/updates_testing:
========================
bind-9.9.7.P1-1.mga4
bind-sdb-9.9.7.P1-1.mga4
bind-utils-9.9.7.P1-1.mga4
bind-devel-9.9.7.P1-1.mga4
bind-doc-9.9.7.P1-1.mga4
bind-9.10.2.P2-1.mga5
bind-sdb-9.10.2.P2-1.mga5
bind-utils-9.10.2.P2-1.mga5
bind-devel-9.10.2.P2-1.mga5
bind-doc-9.10.2.P2-1.mga5

from SRPMS:
bind-9.9.7.P1-1.mga4.src.rpm
bind-9.10.2.P2-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-07-08 16:53:26 CEST 
Testing procedure: similar to
https://bugs.mageia.org/show_bug.cgi?id=9163#c8

Whiteboard: (none) => MGA4TOO has_procedure

Comment 2 Mauricio Andrés Bustamante Viveros 2015-07-08 19:00:40 CEST 
Tested MGA4-32, First installed bind from core distrib (9.9.4), started service, using the 9163 test case, OK.

After this test, upgrade the package using the core updates testing, and after the testing seems all OK

The resultant package installed is 9.9.7

Testing the MGA5-32

CC: (none) => neoser10

Comment 3 David Walser 2015-07-08 20:18:48 CEST 
Debian has issued an advisory for this on July 7:
https://www.debian.org/security/2015/dsa-3304

URL: (none) => http://lwn.net/Vulnerabilities/650519/

Comment 4 Mauricio Andrés Bustamante Viveros 2015-07-08 21:27:05 CEST 
Tested MGA5-32, First installed bind from core distrib (9.10), started service, using the 9163 test case, i have no server response error, but after 3 or 5 minutes i get connection with a master (with mga4-32 after the service starts, i execute digs commands to @localhost and i have faster responses)

After this test, upgrade the package using the core updates testing, and after the testing seems all OK

The resultant package installed is 9.10.2

All testing is without modify the default configurations.

Only I have a question, Can I use the sdb version of bind without uninstall the standart implementation??? Any considerations before or after install that package?? I want to test again with that pkg both MGA installs

Thanks
Comment 5 Dave Hodgins 2015-07-09 01:19:06 CEST 
Advisory committed to svn, and testing complete on Mageia 4 32 and 64 bit.

Based on comment 4, I'm adding the MGA5-32-OK whiteboard entry, and validating
the update.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2015-07-09 10:10:04 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0272.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED