Upstream has issued advisories today (December 15): https://kb.isc.org/article/AA-01317 This is a critical, remotely exploitable denial of service vulnerability. Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated bind packages fix security vulnerability: An error in the parsing of incoming responses allows some records with an incorrect class to be accepted by BIND instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. Intentional exploitation of this condition is possible and could be used as a denial-of-service vector against servers performing recursive queries (CVE-2015-8500). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8000 https://kb.isc.org/article/AA-01317 https://kb.isc.org/article/AA-01317 ======================== Updated packages in core/updates_testing: ======================== bind-9.10.3.P2-1.mga5 bind-sdb-9.10.3.P2-1.mga5 bind-utils-9.10.3.P2-1.mga5 bind-devel-9.10.3.P2-1.mga5 bind-doc-9.10.3.P2-1.mga5 from bind-9.10.3.P2-1.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: similar to https://bugs.mageia.org/show_bug.cgi?id=9163#c8
Whiteboard: (none) => has_procedure
Debian has issued an advisory for this on December 15: https://www.debian.org/security/2015/dsa-3420
preparing to test x86_64 rpms
CC: (none) => paul.blackburn
tested OK on x86_64
URL: (none) => http://lwn.net/Vulnerabilities/668124/
(In reply to Paul Blackburn from comment #4) > tested OK on x86_64 Paul could you expand a little, or a lot, on how you tested bind. Thanks
CC: (none) => wilcal.int
Tested the updated RPMs on a name server with SOA for a domain and several subnets. Verified BIND handled forward and inverse queries for the domain, subnets, and for external queries. Searched for a proof of concept for the vulnerability addressed by this update but was not able to find one.
$ dig mageia.org|grep SERVER ;; SERVER: 127.0.0.1#53(127.0.0.1) Confirmed working here. Validating the update. I'll add the advisory to svn shortly, if it isn't already there.
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure MGA5-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
Advisory uploaded to svn.
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0481.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This is two bugs in a week that I typoed the CVE in the advisory text, but had the correct CVE in the references and bug title. I have fixed it in SVN. When uploading the advisories, please make sure the CVEs match. If they don't, please ask for clarification if you're not sure which is correct. I apologize for the errors.