Upstream has issued an advisory on July 28: https://kb.isc.org/article/AA-0127 This is a critical, remotely exploitable denial of service vulnerability. Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated bind packages fix security vulnerability: An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit (CVE-2015-5477). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477 https://kb.isc.org/article/AA-01272 https://kb.isc.org/article/AA-01279 https://kb.isc.org/article/AA-01280 ======================== Updated packages in core/updates_testing: ======================== bind-9.9.7.P2-1.mga4 bind-sdb-9.9.7.P2-1.mga4 bind-utils-9.9.7.P2-1.mga4 bind-devel-9.9.7.P2-1.mga4 bind-doc-9.9.7.P2-1.mga4 bind-9.10.2.P3-1.mga5 bind-sdb-9.10.2.P3-1.mga5 bind-utils-9.10.2.P3-1.mga5 bind-devel-9.10.2.P3-1.mga5 bind-doc-9.10.2.P3-1.mga5 from SRPMS: bind-9.9.7.P2-1.mga4.src.rpm bind-9.10.2.P3-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: similar to https://bugs.mageia.org/show_bug.cgi?id=9163#c8
Whiteboard: (none) => MGA4TOO has_procedure
I'm going to test MGA5-64 - stay tuned.
CC: (none) => shlomif
(In reply to Shlomi Fish from comment #2) > I'm going to test MGA5-64 - stay tuned. The test appears to have failed - before the update. I can start the "named" service fine and it runs on the :53 UDP and TCP ports, but I cannot resolve using it (Mageia Linux 5 x86-64 Acer Laptop). Shell session below: ============================================ [shlomif@localhost ~]$ dig mageia.org ; <<>> DiG 9.10.2-P2 <<>> mageia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54312 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 217.70.188.116 ;; Query time: 80 msec ;; SERVER: 10.0.0.138#53(10.0.0.138) ;; WHEN: Wed Jul 29 19:43:14 IDT 2015 ;; MSG SIZE rcvd: 55 [shlomif@localhost ~]$ dig @127.0.0.1 mageia.org ; <<>> DiG 9.10.2-P2 <<>> @127.0.0.1 mageia.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39401 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mageia.org. IN A ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jul 29 19:43:25 IDT 2015 ;; MSG SIZE rcvd: 39 [shlomif@localhost ~]$
Update - seems like an @localhost dig session for www.google.com is working: =============== [shlomif@localhost ~]$ dig @127.0.0.1 www.google.com ; <<>> DiG 9.10.2-P2 <<>> @127.0.0.1 www.google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39372 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 218 IN A 216.58.210.68 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jul 29 19:47:34 IDT 2015 ;; MSG SIZE rcvd: 59
Debian has issued an advisory for this on July 28: https://www.debian.org/security/2015/dsa-3319
URL: (none) => http://lwn.net/Vulnerabilities/652790/
CC: (none) => davidwhodginsWhiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK
Shlomi try "dig mageia.org 127.0.0.1"
(In reply to Dave Hodgins from comment #6) > Shlomi try "dig mageia.org 127.0.0.1" This is working fine: [shlomif@localhost ~]$ dig mageia.org 127.0.0.1 ; <<>> DiG 9.10.2-P2 <<>> mageia.org 127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64660 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 217.70.188.116 ;; Query time: 97 msec ;; SERVER: 10.0.0.138#53(10.0.0.138) ;; WHEN: Thu Jul 30 21:09:08 IDT 2015 ;; MSG SIZE rcvd: 55 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31606 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;127.0.0.1. IN A ;; AUTHORITY SECTION: . 6977 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2015073000 1800 900 604800 86400 ;; Query time: 46 msec ;; SERVER: 10.0.0.138#53(10.0.0.138) ;; WHEN: Thu Jul 30 21:09:08 IDT 2015 ;; MSG SIZE rcvd: 113
Whiteboard: MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK => MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA5-64-OK
I will test mga5-32 after meeting....
CC: (none) => neoser10
(In reply to Mauricio Andrés Bustamante Viveros from comment #8) > I will test mga5-32 after meeting.... Well, since it took too long - I've done the MGA5-32-OK testing now and everything is fine.
Whiteboard: MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA5-64-OK => MGA4TOO has_procedure advisory MGA4-64-OK MGA4-32-OK MGA5-64-OK MGA5-32-OK
(In reply to Shlomi Fish from comment #7) > (In reply to Dave Hodgins from comment #6) > > Shlomi try "dig mageia.org 127.0.0.1" > > This is working fine: > > [shlomif@localhost ~]$ dig mageia.org 127.0.0.1 > This is not asking localhost about mageia.org Instead you are actually passing 2 requuests: First: > ;; QUESTION SECTION: > ;mageia.org. IN A > ;; ANSWER SECTION: > mageia.org. 1800 IN A 217.70.188.116 To server: > ;; SERVER: 10.0.0.138#53(10.0.0.138) Second: > ;; QUESTION SECTION: > ;127.0.0.1. IN A > ;; AUTHORITY SECTION: > . 6977 IN SOA a.root-servers.net. > nstld.verisign-grs.com. 2015073000 1800 900 604800 86400 (127.0.0.1 wont resolve to anything, and you need "dig -x" to resolve an ip) to: > ;; SERVER: 10.0.0.138#53(10.0.0.138) If you are actually want to ask localhost you need the "@" to point to the server you want to ask... meaning: dig mageia.org @127.0.0.1
CC: (none) => tmb
(In reply to Thomas Backlund from comment #10) > (In reply to Shlomi Fish from comment #7) > > (In reply to Dave Hodgins from comment #6) > > > Shlomi try "dig mageia.org 127.0.0.1" > > > > This is working fine: > > > > [shlomif@localhost ~]$ dig mageia.org 127.0.0.1 > > > > This is not asking localhost about mageia.org > > Instead you are actually passing 2 requuests: > > First: > > > ;; QUESTION SECTION: > > ;mageia.org. IN A > > > ;; ANSWER SECTION: > > mageia.org. 1800 IN A 217.70.188.116 > > > To server: > > > ;; SERVER: 10.0.0.138#53(10.0.0.138) > > > Second: > > > ;; QUESTION SECTION: > > ;127.0.0.1. IN A > > > ;; AUTHORITY SECTION: > > . 6977 IN SOA a.root-servers.net. > > nstld.verisign-grs.com. 2015073000 1800 900 604800 86400 > > (127.0.0.1 wont resolve to anything, and you need "dig -x" to resolve an ip) > > to: > > > ;; SERVER: 10.0.0.138#53(10.0.0.138) > > > If you are actually want to ask localhost you need the "@" to point to the > server you want to ask... > > meaning: > > dig mageia.org @127.0.0.1 So what do we do? It doesn't work properly with this syntax.
did you change any configs before or after the update ? Both before and after the update the default setup works for me on mga5 x86_64 # dig mageia.org @127.0.0.1 ; <<>> DiG 9.10.2-P3 <<>> mageia.org @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24561 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1588 IN A 217.70.188.116 ;; AUTHORITY SECTION: mageia.org. 86188 IN NS ns1.mageia.org. mageia.org. 86188 IN NS ns0.mageia.org. ;; ADDITIONAL SECTION: ns0.mageia.org. 86188 IN A 212.85.158.146 ns1.mageia.org. 86188 IN A 95.142.164.207 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: fre jul 31 14:45:33 EEST 2015 ;; MSG SIZE rcvd: 123
The error in comment 3 is SERVFAIL, did you remember to start the service?
(In reply to Thomas Backlund from comment #12) > did you change any configs before or after the update ? > No, I have not touched anything. > Both before and after the update the default setup works for me on mga5 > x86_64 > > # dig mageia.org @127.0.0.1
(In reply to claire robinson from comment #13) > The error in comment 3 is SERVFAIL, did you remember to start the service? Yes , I did - I ran "service named start" as root.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0298.html
Status: NEW => RESOLVEDResolution: (none) => FIXED