Partially duplicate of bug #1451

CC: (none) => pterjan

Other security fixes from version 9.8.0-P4 :
ftp://ftp.isc.org/isc/bind/9.8.0-P4/RELEASE-NOTES-BIND-9.8.0-P4.html

CC: (none) => boklm

Bind package updated to version 9.8.0-P4 has been submitted to updates_testing.

Assignee: bugsquad => qa-bugs

*** Bug 1451 has been marked as a duplicate of this bug. ***

CC: (none) => tmb

The packages involved are
bind-devel
bind
bind-doc
bind-utils
The srpm is bind-9.8.0-6.P4.mga1.src.rpm

I've installed the packages on my i586 system.  For the doc and devel packages,
I'm simply confirming that they install without any conflicts.

For the bind and bind-utils package, I ran "service named restart",
and some dig/host/nslookup commands, and am currently using
nameserver 127.0.0.1
as the first line in /etc/resolv.conf.

I don't see a poc test for the security updates, so I'm not trying to
test those.

Testing complete on i586.

CC: (none) => davidwhodgins

tested bind-utils on x86_64, works for me with a nslookup.

CC: (none) => lists.jjorge

Can someone from the sysadmin team push the packages
bind-devel
bind
bind-doc
bind-utils
from Core Updates Testing to Core Updates please.
The srpm is bind-9.8.0-6.P4.mga1.src.rpm

If the "other security fixes" from comment 2 went in, we should mention CVE-2011-2464 in the advisory text:

It was discovered that BIND, a DNS server, does not correctly process
certain UPDATE requests, resulting in a server crash and a denial of
service.  This vulnerability affects BIND installations even if they
do not actually use dynamic DNS updates (CVE-2011-2464).

CC: (none) => stewbintn

I have seen on the internet an exploit for CVE-2011-2464 (and not tested it). I can't make this comment private but can send it to interested people who don't have it.

Yes, I think we should mention all updates since P1 :
ftp://ftp.isc.org/isc/bind/9.8.0-P2/RELEASE-NOTES-BIND-9.8.0-P2.html
ftp://ftp.isc.org/isc/bind/9.8.0-P4/RELEASE-NOTES-BIND-9.8.0-P4.html

So advisory could be something like this :

This update fix several security issues in bind :
- Using Response Policy Zone (RPZ) with DNAME records and querying the subdomain of that label can cause named to crash. Now logs that DNAME is not supported. [ISC RT #24766]
- If named is configured to be both authoritative and resursive and receives a recursive query for a CNAME in a zone that it is authoritative for, if that CNAME also points to a zone the server is authoritative for, the recursive part of name will not follow the CNAME change and the response will not be a complete CNAME chain. [ISC RT #24455]
- Using Response Policy Zone (RPZ) to query a wildcard CNAME label with QUERY type SIG/RRSIG, it can cause named to crash. Fix is query type independant. [ISC RT #24715] [CVE-2011-1907]
- Change #2912 (see CHANGES) exposed a latent bug in the DNS message processing code that could allow certain UPDATE requests to crash named. This was fixed by disambiguating internal database representation vs DNS wire format data. [ISC RT #24777] [CVE-2011-2464]
- A large RRSET from a remote authoritative server that results in the recursive resolver trying to negatively cache the response can hit an off by one code error in named, resulting in named crashing. [ISC RT #24650] [CVE-2011-1910]
- Zones that have a DS record in the parent zone but are also listed in a DLV and won't validate without DLV could fail to validate. [ISC RT #24631]

Can someone from the sysadmin team push the packages
bind-devel
bind
bind-doc
bind-utils
from Core Updates Testing to Core Updates please.
The srpm is bind-9.8.0-6.P4.mga1.src.rpm

See comment 10 for the advisory.

pushed to updates.

Status: NEW => RESOLVED
Resolution: (none) => FIXED