Bug 29776

Summary: ldns new security issues rhbz#2028468, rhbz#2028465, rhbz#2028472 (CVE-2020-19860, CVE-2020-19861)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, guillomovitch, herman.viaene, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: ldns-1.7.1-3.mga9.src.rpm CVE:
Status comment:

Description David Walser 2021-12-17 19:40:21 CET 
Fedora has issued an advisory today (December 17):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2X73FZHU3TMEVLPJ6AFGATNWWADHGZW3/

The issues are fixed upstream in 1.8.0 (Fedora updated to 1.8.1).

Mageia 8 is also affected.
David Walser 2021-12-17 19:40:43 CET

Status comment: (none) => Fixed upstream in 1.8.0
CC: (none) => geiger.david68210, guillomovitch
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Lécureuil 2021-12-17 22:30:22 CET 
updated in cauldron.

Version: Cauldron => 8
CC: (none) => mageia
Whiteboard: MGA8TOO => (none)

Comment 2 Nicolas Lécureuil 2021-12-17 22:31:49 CET 
new version pushed in mga8

src:
    - ldns-1.8.1-1.mga8

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2021-12-17 22:36:18 CET 
python3-ldns-1.8.1-1.mga8
libldns-devel-1.8.1-1.mga8
libldns3-1.8.1-1.mga8
ldns-utils-1.8.1-1.mga8

from ldns-1.8.1-1.mga8.src.rpm

Status comment: Fixed upstream in 1.8.0 => (none)

Comment 4 Herman Viaene 2021-12-20 14:28:52 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues
Ref bug 13324 for testing
$ mkdir testldns
$ cd testldns
$ ldns-keygen -a RSASHA1_NSEC3 -b 1024 example.net
Kexample.net.+007+03893
$ ll
totaal 8
-rw-r--r-- 1 tester8 tester8 241 dec 20 14:19 Kexample.net.+007+03893.key
-rw------- 1 tester8 tester8 943 dec 20 14:19 Kexample.net.+007+03893.private
$ urpmf ldns-utils | grep bin
ldns-utils:/usr/bin/drill
ldns-utils:/usr/bin/ldns-chaos
ldns-utils:/usr/bin/ldns-compare-zones
ldns-utils:/usr/bin/ldns-dane
ldns-utils:/usr/bin/ldns-dpa
etc....

$ ldns-mx mageia.org                                   
mageia.org.     1800    IN      MX      10 sucuk.mageia.org.
mageia.org.     1800    IN      MX      20 neru.mageia.org.
$ drill mageia.org @8.8.8.8
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 11653
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; mageia.org.  IN      A

;; ANSWER SECTION:
mageia.org.     1800    IN      A       163.172.148.228

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 2155 msec
;; SERVER: 8.8.8.8
;; WHEN: Mon Dec 20 14:21:44 2021
;; MSG SIZE  rcvd: 44

If Claire OK'ed this on these tests, I'll follow her.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2021-12-20 18:48:10 CET 
If I learned anything in my early days with QA, it was "don't argue with Claire." ;-)

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2021-12-23 19:59:04 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-12-23 22:03:05 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0582.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2022-02-01 18:05:27 CET 
rhbz#2028468 is CVE-2020-19861, and CVE-2020-19860 was also fixed in 1.8.0 and in this update:
https://bugzilla.redhat.com/show_bug.cgi?id=2044427
https://ubuntu.com/security/notices/USN-5257-1

Summary: ldns new security issues rhbz#2028468, rhbz#2028465, rhbz#2028472 => ldns new security issues rhbz#2028468, rhbz#2028465, rhbz#2028472 (CVE-2020-19860, CVE-2020-19861)