Bug 16324 - bind new security issue CVE-2015-4620
Summary: bind new security issue CVE-2015-4620
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/650519/
Whiteboard: MGA4TOO has_procedure advisory MGA4-6...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-07-08 16:53 CEST by David Walser
Modified: 2015-07-09 10:10 CEST (History)
3 users (show)

See Also:
Source RPM: bind-9.10.1.P2-2.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-07-08 16:53:12 CEST
Upstream has issued an advisory on July 7:
https://kb.isc.org/article/AA-01267

The issue is fixed in 9.9.7-P1 and 9.10.2-P2:
https://kb.isc.org/article/AA-01270
https://kb.isc.org/article/AA-01269

Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated bind packages fix security vulnerability:

A recursive resolver that is performing DNSSEC validation can be deliberately
terminated by any attacker who can cause a query to be performed against a
maliciously constructed zone.  This will result in a denial of service to
clients who rely on that resolver (CVE-2015-4620).

Note that DNSSEC validation is not enabled by default.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4620
https://kb.isc.org/article/AA-01267
https://kb.isc.org/article/AA-01270
https://kb.isc.org/article/AA-01269
========================

Updated packages in core/updates_testing:
========================
bind-9.9.7.P1-1.mga4
bind-sdb-9.9.7.P1-1.mga4
bind-utils-9.9.7.P1-1.mga4
bind-devel-9.9.7.P1-1.mga4
bind-doc-9.9.7.P1-1.mga4
bind-9.10.2.P2-1.mga5
bind-sdb-9.10.2.P2-1.mga5
bind-utils-9.10.2.P2-1.mga5
bind-devel-9.10.2.P2-1.mga5
bind-doc-9.10.2.P2-1.mga5

from SRPMS:
bind-9.9.7.P1-1.mga4.src.rpm
bind-9.10.2.P2-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-07-08 16:53:26 CEST
Testing procedure: similar to
https://bugs.mageia.org/show_bug.cgi?id=9163#c8

Whiteboard: (none) => MGA4TOO has_procedure

Comment 2 Mauricio Andrés Bustamante Viveros 2015-07-08 19:00:40 CEST
Tested MGA4-32, First installed bind from core distrib (9.9.4), started service, using the 9163 test case, OK.

After this test, upgrade the package using the core updates testing, and after the testing seems all OK

The resultant package installed is 9.9.7

Testing the MGA5-32

CC: (none) => neoser10

Comment 3 David Walser 2015-07-08 20:18:48 CEST
Debian has issued an advisory for this on July 7:
https://www.debian.org/security/2015/dsa-3304

URL: (none) => http://lwn.net/Vulnerabilities/650519/

Comment 4 Mauricio Andrés Bustamante Viveros 2015-07-08 21:27:05 CEST
Tested MGA5-32, First installed bind from core distrib (9.10), started service, using the 9163 test case, i have no server response error, but after 3 or 5 minutes i get connection with a master (with mga4-32 after the service starts, i execute digs commands to @localhost and i have faster responses)

After this test, upgrade the package using the core updates testing, and after the testing seems all OK

The resultant package installed is 9.10.2

All testing is without modify the default configurations.

Only I have a question, Can I use the sdb version of bind without uninstall the standart implementation??? Any considerations before or after install that package?? I want to test again with that pkg both MGA installs

Thanks
Comment 5 Dave Hodgins 2015-07-09 01:19:06 CEST
Advisory committed to svn, and testing complete on Mageia 4 32 and 64 bit.

Based on comment 4, I'm adding the MGA5-32-OK whiteboard entry, and validating
the update.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2015-07-09 10:10:04 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0272.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.