| Summary: | bind new security issues CVE-2012-5689 and CVE-2013-2266 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, guillomovitch, oe, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/539627/ | ||
| Whiteboard: | has_procedure mga2-32-ok MGA2-64-OK | ||
| Source RPM: | bind-9.9.2.P1-4.mga3.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2013-02-22 22:03:38 CET
David Walser
2013-02-22 22:03:46 CET
CC:
(none) =>
oe
David Walser
2013-02-22 22:03:53 CET
CC:
(none) =>
guillomovitch Here is the ISC article for CVE-2012-5689: https://kb.isc.org/article/AA-00855 Has this been fixed upstream yet? Upstream has also since released 9.9.2-P2 to fix CVE-2013-2226: https://kb.isc.org/article/AA-00871 Summary:
bind new security issue CVE-2012-5689 =>
bind new security issues CVE-2012-5689 and CVE-2013-2226 Correction, the new CVE is CVE-2013-2266, not 2226. Summary:
bind new security issues CVE-2012-5689 and CVE-2013-2226 =>
bind new security issues CVE-2012-5689 and CVE-2013-2266 RedHat has issued an advisory for CVE-2013-2266 on March 28: https://rhn.redhat.com/errata/RHSA-2013-0689.html from http://lwn.net/Vulnerabilities/545189/ CVE-2012-5689 is not fixed upstream, so I committed the patch from RedHat and updated this in Cauldron. Freeze push requested.
David Walser
2013-04-01 01:05:57 CEST
Whiteboard:
(none) =>
MGA2TOO bind 9.9.2-P2 pushed in Cauldron. Version:
Cauldron =>
2 Updated and patched package uploaded for Mageia 2. Assigning to QA. Advisory: ======================== Updated bind packages fix security vulnerabilities: A flaw was found in the DNS64 implementation in BIND when using Response Policy Zones (RPZ). If a remote attacker sent a specially-crafted query to a named server that is using RPZ rewrite rules, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default (CVE-2012-5689). A denial of service flaw was found in the libdns library. A remote attacker could use this flaw to send a specially-crafted DNS query to named that, when processed, would cause named to use an excessive amount of memory, or possibly crash (CVE-2013-2266). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266 https://kb.isc.org/article/AA-00855 https://kb.isc.org/article/AA-00871 https://kb.isc.org/article/AA-00889 https://rhn.redhat.com/errata/RHSA-2013-0550.html https://rhn.redhat.com/errata/RHSA-2013-0689.html ======================== Updated packages in core/updates_testing: ======================== bind-9.9.2.P2-1.mga2 bind-sdb-9.9.2.P2-1.mga2 bind-utils-9.9.2.P2-1.mga2 bind-devel-9.9.2.P2-1.mga2 bind-doc-9.9.2.P2-1.mga2 from bind-9.9.2.P2-1.mga2.src.rpm Assignee:
bugsquad =>
qa-bugs No public PoC Testing mga2 32 Before ------ # service named start Starting named (via systemctl): [ OK ] # dig @localhost mageia.org ; <<>> DiG 9.9.2-P1 <<>> @localhost mageia.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16857 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 3600 IN A 217.70.188.116 ;; AUTHORITY SECTION: mageia.org. 3600 IN NS ns1.mageia.org. mageia.org. 3600 IN NS ns0.mageia.org. ;; ADDITIONAL SECTION: ns0.mageia.org. 86400 IN A 212.85.158.146 ns1.mageia.org. 86400 IN A 95.142.164.207 ;; Query time: 464 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Apr 4 11:34:25 2013 ;; MSG SIZE rcvd: 123 After ----- # service named restart Restarting named (via systemctl): [ OK ] # dig @localhost mageia.org No regression noticed. Whiteboard:
(none) =>
has_procedure mga2-32-ok Testing complete on Mageia 2 x86-64. Could someone from the sysadmin team push the srpm bind-9.9.2.P2-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated bind packages fix security vulnerabilities: A flaw was found in the DNS64 implementation in BIND when using Response Policy Zones (RPZ). If a remote attacker sent a specially-crafted query to a named server that is using RPZ rewrite rules, named could exit unexpectedly with an assertion failure. Note that DNS64 support is not enabled by default (CVE-2012-5689). A denial of service flaw was found in the libdns library. A remote attacker could use this flaw to send a specially-crafted DNS query to named that, when processed, would cause named to use an excessive amount of memory, or possibly crash (CVE-2013-2266). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266 https://kb.isc.org/article/AA-00855 https://kb.isc.org/article/AA-00871 https://kb.isc.org/article/AA-00889 https://rhn.redhat.com/errata/RHSA-2013-0550.html https://rhn.redhat.com/errata/RHSA-2013-0689.html https://bugs.mageia.org/show_bug.cgi?id=9163 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0105 Status:
NEW =>
RESOLVED |