Upstream has issued advisories today (December 15):
This is a critical, remotely exploitable denial of service vulnerability.
Updated packages uploaded for Mageia 5 and Cauldron.
Updated bind packages fix security vulnerability:
An error in the parsing of incoming responses allows some records with an
incorrect class to be accepted by BIND instead of being rejected as malformed.
This can trigger a REQUIRE assertion failure when those records are
subsequently cached. Intentional exploitation of this condition is possible
and could be used as a denial-of-service vector against servers performing
recursive queries (CVE-2015-8500).
Updated packages in core/updates_testing:
Steps to Reproduce:
Testing procedure: similar to
Debian has issued an advisory for this on December 15:
preparing to test x86_64 rpms
tested OK on x86_64
(In reply to Paul Blackburn from comment #4)
> tested OK on x86_64
Paul could you expand a little, or a lot, on how you tested bind.
Tested the updated RPMs on a name server with SOA for a domain and several subnets. Verified BIND handled forward and inverse queries for the domain, subnets, and for external queries. Searched for a proof of concept for the vulnerability addressed by this update but was not able to find one.
$ dig mageia.org|grep SERVER
;; SERVER: 127.0.0.1#53(127.0.0.1)
Confirmed working here. Validating the update.
I'll add the advisory to svn shortly, if it isn't already there.
Advisory uploaded to svn.
has_procedure MGA5-64-OK =>
has_procedure MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository.
This is two bugs in a week that I typoed the CVE in the advisory text, but had the correct CVE in the references and bug title. I have fixed it in SVN.
When uploading the advisories, please make sure the CVEs match. If they don't, please ask for clarification if you're not sure which is correct. I apologize for the errors.