Bug 17339

Summary: bind new security issue CVE-2015-8000
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, paul.blackburn, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/668124/
Whiteboard: has_procedure MGA5-64-OK advisory
Source RPM: bind-9.10.2.P4-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-12-16 01:14:14 CET 
Upstream has issued advisories today (December 15):
https://kb.isc.org/article/AA-01317

This is a critical, remotely exploitable denial of service vulnerability.

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated bind packages fix security vulnerability:

An error in the parsing of incoming responses allows some records with an
incorrect class to be accepted by BIND instead of being rejected as malformed.
This can trigger a REQUIRE assertion failure when those records are
subsequently cached. Intentional exploitation of this condition is possible
and could be used as a denial-of-service vector against servers performing
recursive queries (CVE-2015-8500).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8000
https://kb.isc.org/article/AA-01317
https://kb.isc.org/article/AA-01317
========================

Updated packages in core/updates_testing:
========================
bind-9.10.3.P2-1.mga5
bind-sdb-9.10.3.P2-1.mga5
bind-utils-9.10.3.P2-1.mga5
bind-devel-9.10.3.P2-1.mga5
bind-doc-9.10.3.P2-1.mga5

from bind-9.10.3.P2-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-12-16 01:14:46 CET 
Testing procedure: similar to
https://bugs.mageia.org/show_bug.cgi?id=9163#c8

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2015-12-16 14:38:48 CET 
Debian has issued an advisory for this on December 15:
https://www.debian.org/security/2015/dsa-3420
Comment 3 Paul Blackburn 2015-12-16 16:21:23 CET 
preparing to test x86_64 rpms

CC: (none) => paul.blackburn

Comment 4 Paul Blackburn 2015-12-16 16:35:46 CET 
tested OK on x86_64
David Walser 2015-12-16 19:30:38 CET

URL: (none) => http://lwn.net/Vulnerabilities/668124/

Comment 5 William Kenney 2015-12-17 18:48:12 CET 
(In reply to Paul Blackburn from comment #4)

> tested OK on x86_64

Paul could you expand a little, or a lot, on how you tested bind.
Thanks

CC: (none) => wilcal.int

Comment 6 Paul Blackburn 2015-12-17 21:05:22 CET 
Tested the updated RPMs on a name server with SOA for a domain and several subnets. Verified BIND handled forward and inverse queries for the domain, subnets, and for external queries. Searched for a proof of concept for the vulnerability addressed by this update but was not able to find one.
Comment 7 Dave Hodgins 2015-12-18 04:37:54 CET 
$ dig mageia.org|grep SERVER
;; SERVER: 127.0.0.1#53(127.0.0.1)

Confirmed working here. Validating the update.

I'll add the advisory to svn shortly, if it isn't already there.

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure MGA5-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Dave Hodgins 2015-12-18 04:46:19 CET 
Advisory uploaded to svn.

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory

Comment 9 Mageia Robot 2015-12-20 10:16:20 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0481.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2015-12-21 21:46:52 CET 
This is two bugs in a week that I typoed the CVE in the advisory text, but had the correct CVE in the references and bug title.  I have fixed it in SVN.

When uploading the advisories, please make sure the CVEs match.  If they don't, please ask for clarification if you're not sure which is correct.  I apologize for the errors.