| Summary: | bind new security issues CVE-2021-2521[4-6] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, guillomovitch, ouaurelien, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA8-64-OK MGA7-64-OK | ||
| Source RPM: | bind-9.11.27-1.1.mga8.src.rpm | CVE: | CVE-2021-2521[4-6] |
| Status comment: | |||
|
Description
David Walser
2021-05-03 22:52:10 CEST
David Walser
2021-05-03 22:52:21 CEST
Status comment:
(none) =>
Fixed upstream in 9.11.31 Assigning to Guillaume, maintainer for bind. Assignee:
bugsquad =>
guillomovitch Announcement thread with a little more information: https://www.openwall.com/lists/oss-security/2021/04/29/1 Update built by Guillaume for Mageia 8 (forgot to remove subrel, oops). Nothing for Mageia 7 yet. bind-9.11.31-1.1.mga8 libdns1114-9.11.31-1.1.mga8 libdns_pkcs11_1114-9.11.31-1.1.mga8 bind-devel-9.11.31-1.1.mga8 bind-sdb-9.11.31-1.1.mga8 bind-pkcs11-9.11.31-1.1.mga8 bind-utils-9.11.31-1.1.mga8 bind-pkcs11-utils-9.11.31-1.1.mga8 libisc_pkcs11_1107-9.11.31-1.1.mga8 libisc1107-9.11.31-1.1.mga8 python3-bind-9.11.31-1.1.mga8 bind-dnssec-utils-9.11.31-1.1.mga8 libisccfg163-9.11.31-1.1.mga8 liblwres161-9.11.31-1.1.mga8 libbind9_161-9.11.31-1.1.mga8 bind-pkcs11-devel-9.11.31-1.1.mga8 libisccc161-9.11.31-1.1.mga8 bind-sdb-chroot-9.11.31-1.1.mga8 libirs161-9.11.31-1.1.mga8 bind-chroot-9.11.31-1.1.mga8 I asked for an admin to remove those packages, so as to submit them again with correct release. For mageia 7, the version change 9.11.6 -> 9.11.31 seems a bit excessive for a security update, and I couldn't find suitable patches excepted for CVE-2021-25215. The "extra" subrel does not really matter so just go ahead and test it... (In reply to Guillaume Rousse from comment #4) > I asked for an admin to remove those packages, so as to submit them again > with correct release. > > For mageia 7, the version change 9.11.6 -> 9.11.31 seems a bit excessive for > a security update, and I couldn't find suitable patches excepted for > CVE-2021-25215. (In reply to Thomas Backlund from comment #5) > The "extra" subrel does not really matter so just go ahead and test it... So, Assigning to QA Advisory soon. Assignee:
guillomovitch =>
qa-bugs Even for 9.11.26 RedHat only fixed CVE-2021-25215, so I guess that's fine (mga7). Advisory: ======================== Updated bind packages fix security vulnerabilities: A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly(CVE-2021-25214). An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself (CVE-2021-25215). A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack (CVE-2021-25216). References: - https://access.redhat.com/errata/RHSA-2021:1469 - https://kb.isc.org/v1/docs/cve-2021-25214 - https://kb.isc.org/v1/docs/cve-2021-25215 - https://kb.isc.org/v1/docs/cve-2021-25216 - https://www.openwall.com/lists/oss-security/2021/04/29/1 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25214 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25215 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25216 ======================== Updated packages in 8/core/updates_testing: ======================== bind-9.11.31-1.1.mga8 lib(64)dns1114-9.11.31-1.1.mga8 lib(64)dns_pkcs11_1114-9.11.31-1.1.mga8 bind-devel-9.11.31-1.1.mga8 bind-sdb-9.11.31-1.1.mga8 bind-pkcs11-9.11.31-1.1.mga8 bind-utils-9.11.31-1.1.mga8 bind-pkcs11-utils-9.11.31-1.1.mga8 lib(64)isc_pkcs11_1107-9.11.31-1.1.mga8 lib(64)isc1107-9.11.31-1.1.mga8 python3-bind-9.11.31-1.1.mga8 bind-dnssec-utils-9.11.31-1.1.mga8 lib(64)isccfg163-9.11.31-1.1.mga8 lib(64)lwres161-9.11.31-1.1.mga8 lib(64)bind9_161-9.11.31-1.1.mga8 bind-pkcs11-devel-9.11.31-1.1.mga8 lib(64)isccc161-9.11.31-1.1.mga8 bind-sdb-chroot-9.11.31-1.1.mga8 lib(64)irs161-9.11.31-1.1.mga8 bind-chroot-9.11.31-1.1.mga8 from SRPM: bind-9.11.31-1.1.mga8.src.rpm $ inxi -Sxx System: Host: mageia.local Kernel: 5.10.37-desktop-2.mga8 x86_64 bits: 64 compiler: gcc v: 10.3.0 Desktop: KDE Plasma 5.20.4 tk: Qt 5.15.2 wm: kwin_x11 dm: SDDM Distro: Mageia 8 mga8 Updating these RPMs to: - bind-utils-9.11.31-1.1.mga8.x86_64 - lib64bind9_161-9.11.31-1.1.mga8.x86_64 - lib64dns1114-9.11.31-1.1.mga8.x86_64 - lib64irs161-9.11.31-1.1.mga8.x86_64 - lib64isc1107-9.11.31-1.1.mga8.x86_64 - lib64isccfg163-9.11.31-1.1.mga8.x86_64 - lib64lwres161-9.11.31-1.1.mga8.x86_64 They are by default installed on Mageia 8. Update OK. Resolving DNS is OK, even after a reboot. MGA8-64-OK Stauts for Mageia 7? CVE:
(none) =>
CVE-2021-2521[4-6] Mageia 7 advisory should only have CVE-2021-25215.
David Walser
2021-05-22 17:29:56 CEST
Status comment:
Fixed upstream in 9.11.31 =>
(none) So separate advisories for m7 and m8. The m8 advisory is in comment 8. For m7 ... Advisory: ======================== Updated bind packages fix security vulnerabilities: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself (CVE-2021-25215). References: - https://access.redhat.com/errata/RHSA-2021:1469 - https://kb.isc.org/v1/docs/cve-2021-25215 - https://www.openwall.com/lists/oss-security/2021/04/29/1 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25215 With srpm bind-9.11.6-1.4.mga7.src.rpm Correct? CC:
(none) =>
davidwhodgins Adding the MGA7-64-OK tag. Been using it with no regressions noticed since 2021-05-17T15:11:04 EDT Whiteboard:
MGA7TOO MGA8-64-OK =>
MGA7TOO MGA8-64-OK MGA7-64-OK Advisory committed. Validating. Keywords:
(none) =>
advisory, validated_update Other test:
$ rpm -qa | grep bind
lib64bind9_161-9.11.31-1.1.mga8
python3-bind-9.11.31-1.1.mga8
bind-utils-9.11.31-1.1.mga8
bind-9.11.31-1.1.mga8
bind-dnssec-utils-9.11.31-1.1.mga8
Using bind to share Internet from an Ethernet connection to a WiFi connection with Magiea Control Centre "Share the Internet connection with other local machines" (in Network & Internet).
$ systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2021-05-23 17:03:16 CEST; 1min 19s ago
Main PID: 9924 (named)
Tasks: 7 (limit: 4693)
Memory: 55.8M
CPU: 57ms
CGroup: /system.slice/named.service
└─9924 /usr/sbin/named -u named -c /etc/named.conf
mai 23 17:03:16 localhost named[9924]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
mai 23 17:03:16 localhost named[9924]: resolver priming query complete
Give real OK.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0220.html Status:
NEW =>
RESOLVED Mageia 7 was not vulnerable to CVE-2021-25216, as it already had the --disable-isc-spnego compile option. CVE-2021-25214 appears to be fixable, as Debian fixed it. Filed Bug 28978 for that. CC:
(none) =>
guillomovitch |