Upstream has issued an advisory on December 8: https://kb.isc.org/article/AA-01216 The issue (CVE-2014-8500) is fixed upstream in 9.9.6-P1 (for Mageia 4): https://kb.isc.org/article/AA-01224 This is essentially the same issue as CVE-2014-8601 for PowerDNS Recursor (Bug 14695). Only affecting Cauldron is another issue announced on December 8: https://kb.isc.org/article/AA-01217 That issue (CVE-2014-8680) is fixed in 9.10.1-P1: https://kb.isc.org/article/AA-01223 Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated bind packages fix security vulnerability: By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND 9 uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation. This can lead to resource exhaustion and denial of service (up to and including termination of the named server process) (CVE-2014-8500). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500 https://kb.isc.org/article/AA-01216 https://kb.isc.org/article/AA-01224 ======================== Updated packages in core/updates_testing: ======================== bind-9.9.6.P1-1.mga4 bind-sdb-9.9.6.P1-1.mga4 bind-utils-9.9.6.P1-1.mga4 bind-devel-9.9.6.P1-1.mga4 bind-doc-9.9.6.P1-1.mga4 from bind-9.9.6.P1-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Debian has issued an advisory for this on December 8: https://www.debian.org/security/2014/dsa-3094
URL: (none) => http://lwn.net/Vulnerabilities/625159/
Procedure: similar to https://bugs.mageia.org/show_bug.cgi?id=9163#c8
Whiteboard: (none) => has_procedure
On Mageia 4x32, real hardware following procedure mentionned in Comment 2, From current packages : --------------------- bind-9.9.4.P2-1.mga4 bind-utils-9.9.4.P2-1.mga4 # systemctl start named # systemctl status named # dig @localhost mageia.org # dig NS @localhost mageia.org +short # dig @localhost 212.85.158.146 # dig mx @localhost mageia.org +short All OK To updated testing packages : --------------------------- bind-9.9.6.P1-1.mga4 bind-utils-9.9.6.P1-1.mga4 # systemctl restart named and so on. All OK
CC: (none) => olchalWhiteboard: has_procedure => has_procedure MGA4-32-OK
MGA-4-64 on HP Probook 6555b Installation OK I defined my own master zone in Webmin, put own address record in it, and put own machine as primary DNS server. nslookup on own name OK. Other commands as in Comment 3 : all OK
CC: (none) => herman.viaeneWhiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Well done both. Validating. Advisory uploaded. Please push to updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0524.html
Status: NEW => RESOLVEDResolution: (none) => FIXED