Bug 7762

Summary: bind new security issue CVE-2012-5166
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/519152/
Whiteboard: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK
Source RPM: bind-9.9.1.P3-1.mga2.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 7540    

Description David Walser 2012-10-10 16:35:20 CEST 
Mandriva has issued an advisory today (October 10):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:162

Updated packages uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated bind packages fix security vulnerability:

A certain combination of records in the RBT could cause named to hang
while populating the additional section of a response.
(CVE-2012-5166).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166
ftp://ftp.isc.org/isc/bind/9.8.3-P4/CHANGES
ftp://ftp.isc.org/isc/bind/9.9.1-P4/CHANGES
ftp://ftp.isc.org/isc/bind9/9.8.3-P4/RELEASE-NOTES-BIND-9.8.3-P4.txt
ftp://ftp.isc.org/isc/bind9/9.9.1-P4/RELEASE-NOTES-BIND-9.9.1-P4.txt
https://kb.isc.org/article/AA-00801
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:162
========================

Updated packages in core/updates_testing:
========================
bind-9.8.3P4-1.mga1
bind-utils-9.8.3P4-1.mga1
bind-devel-9.8.3P4-1.mga1
bind-doc-9.8.3P4-1.mga1
bind-9.9.1.P4-1.mga2
bind-sdb-9.9.1.P4-1.mga2
bind-utils-9.9.1.P4-1.mga2
bind-devel-9.9.1.P4-1.mga2
bind-doc-9.9.1.P4-1.mga2

from SRPMS:
bind-9.8.3P4-1.mga1.src.rpm
bind-9.9.1.P4-1.mga2.src.rpm
David Walser 2012-10-10 16:35:41 CEST

Blocks: (none) => 7540
Whiteboard: (none) => MGA1TOO

David Walser 2012-10-10 23:50:52 CEST

URL: (none) => http://lwn.net/Vulnerabilities/519152/

Comment 1 Dave Hodgins 2012-10-11 06:03:08 CEST 
Testing complete Mageia 1 and 2, i586 and x86-64.
Just testing that host and dig work at 127.0.0.1

Could someone from the sysadmin team push the srpm
bind-9.9.1.P4-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
bind-9.8.3P4-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates

Advisory: Updated bind packages fix security vulnerability:

A certain combination of records in the RBT could cause named to hang
while populating the additional section of a response.
(CVE-2012-5166).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166
ftp://ftp.isc.org/isc/bind/9.8.3-P4/CHANGES
ftp://ftp.isc.org/isc/bind/9.9.1-P4/CHANGES
ftp://ftp.isc.org/isc/bind9/9.8.3-P4/RELEASE-NOTES-BIND-9.8.3-P4.txt
ftp://ftp.isc.org/isc/bind9/9.9.1-P4/RELEASE-NOTES-BIND-9.9.1-P4.txt
https://kb.isc.org/article/AA-00801
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:162

https://bugs.mageia.org/show_bug.cgi?id=7762

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK

Comment 2 Thomas Backlund 2012-10-11 08:05:15 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0287

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED