Bug 6873

Summary:	bind new security issues CVE-2012-3817 and CVE-2012-3868
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:
Severity:	major
Priority:	High	CC:	davidwhodgins, guillomovitch, sysadmin-bugs, tmb
Version:	2	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/508297/
Whiteboard:	MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-32-OK MGA2-64-OK
Source RPM:	bind-9.9.1.P1-1.mga3.src.rpm	CVE:
Status comment:

Description David Walser 2012-07-26 22:59:16 CEST

Ubuntu has issued an advisory today (July 26):
http://www.ubuntu.com/usn/usn-1518-1/

Mageia 1 and Mageia 2 are also affected.

It is fixed in 9.8.3-P2 and 9.9.1-P2.

David Walser 2012-07-26 22:59:32 CEST

CC: (none) => guillomovitch
Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 1 David Walser 2012-07-29 18:34:53 CEST

Mandriva has issued an advisory for this today (July 29):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:119

Comment 2 David Walser 2012-07-30 15:09:26 CEST

Fixed in Cauldron by Guillaume Rousse.

Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

David Walser 2012-08-02 23:36:54 CEST

Severity: normal => major

David Walser 2012-08-03 20:29:22 CEST

Priority: Normal => High

Comment 3 David Walser 2012-08-10 19:57:04 CEST

There is also CVE-2012-3868, which affects 9.9.x and was fixed in 9.9.1-P2.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3868
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/084813.html
http://lwn.net/Vulnerabilities/510669/

David Walser 2012-08-10 19:57:35 CEST

Summary: bind new security issue CVE-2012-3817 => bind new security issues CVE-2012-3817 and CVE-2012-3868

Comment 4 David Walser 2012-09-05 20:57:37 CEST

Updated packages uploaded for Mageia 1 and Mageia 2.

Advisory (Mageia 1):
========================

Updated bind packages fix security vulnerability:

High numbers of queries with DNSSEC validation enabled can cause an
assertion failure in named, caused by using a bad cache data structure
before it has been initialized (CVE-2012-3817).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3817
ftp://ftp.isc.org/isc/bind9/9.8.3-P2/RELEASE-NOTES-BIND-9.8.3-P2.txt
https://kb.isc.org/article/AA-00729
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:119
========================

Advisory (Mageia 2):
========================

Updated bind packages fix security vulnerabilities:

High numbers of queries with DNSSEC validation enabled can cause an
assertion failure in named, caused by using a bad cache data structure
before it has been initialized (CVE-2012-3817).

Race condition in the ns_client structure management in ISC BIND 9.9.x
before 9.9.1-P2 allows remote attackers to cause a denial of service
(memory consumption or process exit) via a large volume of TCP queries
(CVE-2012-3868).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3817
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3868
ftp://ftp.isc.org/isc/bind9/9.9.1-P2/RELEASE-NOTES-BIND-9.9.1-P2.txt
https://kb.isc.org/article/AA-00729
https://kb.isc.org/article/AA-00730
http://lists.fedoraproject.org/pipermail/package-announce/2012-August/084813.html
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:119
========================

Updated packages in core/updates_testing:
========================
bind-9.8.3P2-1.mga1
bind-utils-9.8.3P2-1.mga1
bind-devel-9.8.3P2-1.mga1
bind-doc-9.8.3P2-1.mga1
bind-9.9.1.P2-1.mga2
bind-sdb-9.9.1.P2-1.mga2
bind-utils-9.9.1.P2-1.mga2
bind-devel-9.9.1.P2-1.mga2
bind-doc-9.9.1.P2-1.mga2

from SRPMS:
bind-9.8.3P2-1.mga1.src.rpm
bind-9.9.1.P2-1.mga2.src.rpm

Assignee: bugsquad => qa-bugs

Comment 5 Dave Hodgins 2012-09-06 19:28:31 CEST

Testing complete. Mageia 1 and 2, i586 and x86-64

No poc, so just testing that the update installs cleanly, and after
starting named, can lookup hosts and pointers using the server
at 127.0.0.1

Could someone from the sysadmin team push the srpm
bind-9.9.1.P2-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
bind-9.8.3P2-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Please see comment 4 for the two separate advisories.

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA1TOO => MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-32-OK MGA2-64-OK

Comment 6 Thomas Backlund 2012-09-07 20:23:13 CEST

Update pushed:

Mageia 1:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0257

Mageia 2:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0258

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED