Bug 17339 - bind new security issue CVE-2015-8000
Summary: bind new security issue CVE-2015-8000
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/668124/
Whiteboard: has_procedure MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-12-16 01:14 CET by David Walser
Modified: 2015-12-21 21:46 CET (History)
4 users (show)

See Also:
Source RPM: bind-9.10.2.P4-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-12-16 01:14:14 CET
Upstream has issued advisories today (December 15):
https://kb.isc.org/article/AA-01317

This is a critical, remotely exploitable denial of service vulnerability.

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated bind packages fix security vulnerability:

An error in the parsing of incoming responses allows some records with an
incorrect class to be accepted by BIND instead of being rejected as malformed.
This can trigger a REQUIRE assertion failure when those records are
subsequently cached. Intentional exploitation of this condition is possible
and could be used as a denial-of-service vector against servers performing
recursive queries (CVE-2015-8500).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8000
https://kb.isc.org/article/AA-01317
https://kb.isc.org/article/AA-01317
========================

Updated packages in core/updates_testing:
========================
bind-9.10.3.P2-1.mga5
bind-sdb-9.10.3.P2-1.mga5
bind-utils-9.10.3.P2-1.mga5
bind-devel-9.10.3.P2-1.mga5
bind-doc-9.10.3.P2-1.mga5

from bind-9.10.3.P2-1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-12-16 01:14:46 CET
Testing procedure: similar to
https://bugs.mageia.org/show_bug.cgi?id=9163#c8

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2015-12-16 14:38:48 CET
Debian has issued an advisory for this on December 15:
https://www.debian.org/security/2015/dsa-3420
Comment 3 Paul Blackburn 2015-12-16 16:21:23 CET
preparing to test x86_64 rpms

CC: (none) => paul.blackburn

Comment 4 Paul Blackburn 2015-12-16 16:35:46 CET
tested OK on x86_64
David Walser 2015-12-16 19:30:38 CET

URL: (none) => http://lwn.net/Vulnerabilities/668124/

Comment 5 William Kenney 2015-12-17 18:48:12 CET
(In reply to Paul Blackburn from comment #4)

> tested OK on x86_64

Paul could you expand a little, or a lot, on how you tested bind.
Thanks

CC: (none) => wilcal.int

Comment 6 Paul Blackburn 2015-12-17 21:05:22 CET
Tested the updated RPMs on a name server with SOA for a domain and several subnets. Verified BIND handled forward and inverse queries for the domain, subnets, and for external queries. Searched for a proof of concept for the vulnerability addressed by this update but was not able to find one.
Comment 7 Dave Hodgins 2015-12-18 04:37:54 CET
$ dig mageia.org|grep SERVER
;; SERVER: 127.0.0.1#53(127.0.0.1)

Confirmed working here. Validating the update.

I'll add the advisory to svn shortly, if it isn't already there.

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure MGA5-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Dave Hodgins 2015-12-18 04:46:19 CET
Advisory uploaded to svn.

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory

Comment 9 Mageia Robot 2015-12-20 10:16:20 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0481.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 10 David Walser 2015-12-21 21:46:52 CET
This is two bugs in a week that I typoed the CVE in the advisory text, but had the correct CVE in the references and bug title.  I have fixed it in SVN.

When uploading the advisories, please make sure the CVEs match.  If they don't, please ask for clarification if you're not sure which is correct.  I apologize for the errors.

Note You need to log in before you can comment on or make changes to this bug.