Bug 19698

Ubuntu has issued an advisory for this today (November 1):
https://www.ubuntu.com/usn/usn-3119-1/

Patched package uploaded for Mageia 5.

Testing procedure: similar to
https://bugs.mageia.org/show_bug.cgi?id=9163#c8

Advisory:
========================

Updated bind packages fix security vulnerability:

Tony Finch and Marco Davids discovered that Bind incorrectly handled certain
responses containing a DNAME answer. A remote attacker could possibly use this
issue to cause Bind to crash, resulting in a denial of service (CVE-2016-8864).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864
https://kb.isc.org/article/AA-01434
https://www.ubuntu.com/usn/usn-3119-1/
========================

Updated packages in core/updates_testing:
========================
bind-9.10.3.P4-1.2.mga5
bind-sdb-9.10.3.P4-1.2.mga5
bind-utils-9.10.3.P4-1.2.mga5
bind-devel-9.10.3.P4-1.2.mga5
bind-doc-9.10.3.P4-1.2.mga5

from bind-9.10.3.P4-1.2.mga5.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: (none) => has_procedure

Trying this out on x86_64 first.  There are no reproducers posted so the test will follow Claire's procedure as indicated in comment #1.

CC: (none) => tarazed25

Before updating installed the bind components.
dnsmasq had to be removed before bind would install.

There is a command in /usr/bin called bind9-config which is a symbolic link to
multiarch-dispatch but the man page for bind9-config points to isc-config.sh.
From the man pages:
       isc-config.sh prints information related to the installed version of
       ISC BIND, such as the compiler and linker flags required to compile and
       link programs that use ISC BIND libraries.

bind is required by bind-sdb and clusterscripts-server
The README file for bind-sdb gives:
This is an attempt at an LDAP back-end for BIND 9 using the new simplified
database interface "sdb".  Other notes under /usr/share/doc indicate that bind-sdb is somewhat experimental.
clusterscripts-server is not installed.

Updated the packages as listed.

To make the procedure clearer, named is the DNS server from bind and the dig command
specifies the local DNS service which is now named.
$ sudo systemctl start named
$ dig @localhost mageia.org
; <<>> DiG 9.10.3-P4 <<>> @localhost mageia.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31238
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mageia.org.			IN	A

;; ANSWER SECTION:
mageia.org.		1800	IN	A	217.70.188.116

;; AUTHORITY SECTION:
mageia.org.		86400	IN	NS	ns1.mageia.org.
mageia.org.		86400	IN	NS	ns0.mageia.org.

;; ADDITIONAL SECTION:
ns0.mageia.org.		86400	IN	A	212.85.158.146
ns1.mageia.org.		86400	IN	A	95.142.164.207

;; Query time: 908 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 03 19:08:56 GMT 2016
;; MSG SIZE  rcvd: 123

The output matches that posted in bug 9168 so 64-bits good.

Installed the packages on i586 vbox and then updated them.
Started the named service and ran
$ dig @localhost mageia.org
and received the same data.

Validating.  Would sysadmin please push this to Core Updates?

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Hi,

please upload the advisory

CC: (none) => mageia

(In reply to Nicolas Lécureuil from comment #5)
> please upload the advisory
Done.

CC: (none) => lewyssmith
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0365.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED