Upstream has issued an advisory on December 8:
The issue (CVE-2014-8500) is fixed upstream in 9.9.6-P1 (for Mageia 4):
This is essentially the same issue as CVE-2014-8601 for PowerDNS Recursor (Bug 14695).
Only affecting Cauldron is another issue announced on December 8:
That issue (CVE-2014-8680) is fixed in 9.10.1-P1:
Updated packages uploaded for Mageia 4 and Cauldron.
Updated bind packages fix security vulnerability:
By making use of maliciously-constructed zones or a rogue server, an attacker
can exploit an oversight in the code BIND 9 uses to follow delegations in the
Domain Name Service, causing BIND to issue unlimited queries in an attempt to
follow the delegation. This can lead to resource exhaustion and denial of
service (up to and including termination of the named server process)
Updated packages in core/updates_testing:
Steps to Reproduce:
Debian has issued an advisory for this on December 8:
Procedure: similar to
On Mageia 4x32, real hardware following procedure mentionned in Comment 2,
From current packages :
# systemctl start named
# systemctl status named
# dig @localhost mageia.org
# dig NS @localhost mageia.org +short
# dig @localhost 18.104.22.168
# dig mx @localhost mageia.org +short
To updated testing packages :
# systemctl restart named
and so on.
MGA-4-64 on HP Probook 6555b
I defined my own master zone in Webmin, put own address record in it, and put own machine as primary DNS server.
nslookup on own name OK.
Other commands as in Comment 3 : all OK
has_procedure MGA4-32-OK =>
has_procedure MGA4-32-OK MGA4-64-OK
Well done both.
Validating. Advisory uploaded.
Please push to updates
has_procedure MGA4-32-OK MGA4-64-OK =>
has_procedure advisory MGA4-32-OK MGA4-64-OKCC:
An update for this issue has been pushed to Mageia Updates repository.