Upstream has issued an advisory on July 7: https://kb.isc.org/article/AA-01267 The issue is fixed in 9.9.7-P1 and 9.10.2-P2: https://kb.isc.org/article/AA-01270 https://kb.isc.org/article/AA-01269 Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated bind packages fix security vulnerability: A recursive resolver that is performing DNSSEC validation can be deliberately terminated by any attacker who can cause a query to be performed against a maliciously constructed zone. This will result in a denial of service to clients who rely on that resolver (CVE-2015-4620). Note that DNSSEC validation is not enabled by default. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4620 https://kb.isc.org/article/AA-01267 https://kb.isc.org/article/AA-01270 https://kb.isc.org/article/AA-01269 ======================== Updated packages in core/updates_testing: ======================== bind-9.9.7.P1-1.mga4 bind-sdb-9.9.7.P1-1.mga4 bind-utils-9.9.7.P1-1.mga4 bind-devel-9.9.7.P1-1.mga4 bind-doc-9.9.7.P1-1.mga4 bind-9.10.2.P2-1.mga5 bind-sdb-9.10.2.P2-1.mga5 bind-utils-9.10.2.P2-1.mga5 bind-devel-9.10.2.P2-1.mga5 bind-doc-9.10.2.P2-1.mga5 from SRPMS: bind-9.9.7.P1-1.mga4.src.rpm bind-9.10.2.P2-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: similar to https://bugs.mageia.org/show_bug.cgi?id=9163#c8
Whiteboard: (none) => MGA4TOO has_procedure
Tested MGA4-32, First installed bind from core distrib (9.9.4), started service, using the 9163 test case, OK. After this test, upgrade the package using the core updates testing, and after the testing seems all OK The resultant package installed is 9.9.7 Testing the MGA5-32
CC: (none) => neoser10
Debian has issued an advisory for this on July 7: https://www.debian.org/security/2015/dsa-3304
URL: (none) => http://lwn.net/Vulnerabilities/650519/
Tested MGA5-32, First installed bind from core distrib (9.10), started service, using the 9163 test case, i have no server response error, but after 3 or 5 minutes i get connection with a master (with mga4-32 after the service starts, i execute digs commands to @localhost and i have faster responses) After this test, upgrade the package using the core updates testing, and after the testing seems all OK The resultant package installed is 9.10.2 All testing is without modify the default configurations. Only I have a question, Can I use the sdb version of bind without uninstall the standart implementation??? Any considerations before or after install that package?? I want to test again with that pkg both MGA installs Thanks
Advisory committed to svn, and testing complete on Mageia 4 32 and 64 bit. Based on comment 4, I'm adding the MGA5-32-OK whiteboard entry, and validating the update.
Keywords: (none) => validated_updateWhiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA5-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0272.html
Status: NEW => RESOLVEDResolution: (none) => FIXED