Bug 18983 - bind new security issues CVE-2016-2775 and CVE-2016-2776
Summary: bind new security issues CVE-2016-2775 and CVE-2016-2776
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/695097/
Whiteboard: has_procedure MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks: 10880
  Show dependency treegraph
 
Reported: 2016-07-19 15:09 CEST by David Walser
Modified: 2016-10-04 14:21 CEST (History)
4 users (show)

See Also:
Source RPM: bind-9.10.4.P1-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-07-19 15:09:51 CEST 
ISC has issued an advisory on July 18:
https://kb.isc.org/article/AA-01393

The issue is fixed in 9.10.4-P2:
https://kb.isc.org/article/AA-01396

Update checked into Cauldron SVN, freeze push request coming soon.

Mageia 5 is also affected.  This sounds like a minor issue that would impact very few users of this package.
David Walser 2016-07-19 15:10:01 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-07-20 18:53:10 CEST 
bind-9.10.4.P2-1.mga6 was pushed to cauldron by tmb

CC: (none) => marja11
Version: Cauldron => 5
Assignee: bugsquad => guillomovitch
Whiteboard: MGA5TOO => (none)

David Walser 2016-07-21 19:10:15 CEST

URL: (none) => http://lwn.net/Vulnerabilities/695097/

Comment 2 David Walser 2016-09-27 22:52:57 CEST 
ISC has issued an advisory today (September 27):
https://kb.isc.org/article/AA-01419

Freeze push requested for Cauldron.  We should update Mageia 5 this time.

The issue is fixed in 9.10.4-P3:
https://kb.isc.org/article/AA-01424

Summary: bind new security issue CVE-2016-2775 => bind new security issues CVE-2016-2775 and CVE-2016-2776

Comment 3 David Walser 2016-09-28 22:24:58 CEST 
LWN reference for CVE-2016-2776:
http://lwn.net/Vulnerabilities/702118/

Distro advisories for this:
https://rhn.redhat.com/errata/RHSA-2016-1944.html
https://www.debian.org/security/2016/dsa-3680
https://lists.opensuse.org/opensuse-updates/2016-09/msg00103.html
http://www.ubuntu.com/usn/usn-3088-1

We should be able to get patches for these issues from someone.

This new CVE is a high severity issue, so we should address this soon.

Severity: normal => critical

Comment 4 David Walser 2016-09-29 15:51:04 CEST 
Patched package uploaded for Mageia 5.

I added these commits:
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=38cc2d14e218e536e0102fa70deef99461354232
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=9dd582167a8e64917fee9e8343769e09dce6cd1e

Testing procedure: similar to
https://bugs.mageia.org/show_bug.cgi?id=9163#c8

Advisory:
========================

Updated bind packages fix security vulnerabilities:

The lwresd component in BIND (which is not enabled by default) could crash while
processing an overlong request name. This could lead to a denial of service
(CVE-2016-2775).

A crafted query could crash the BIND name server daemon, leading to a denial of
service. All server roles (authoritative, recursive and forwarding) in default
configurations are affected (CVE-2016-2776).

A conflict between the bind and bind-doc packages has also been fixed
(mga#10880).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776
https://kb.isc.org/article/AA-01393
https://kb.isc.org/article/AA-01419
https://www.debian.org/security/2016/dsa-3680
https://bugs.mageia.org/show_bug.cgi?id=10880
https://bugs.mageia.org/show_bug.cgi?id=18983
========================

Updated packages in core/updates_testing:
========================
bind-9.10.3.P4-1.1.mga5
bind-sdb-9.10.3.P4-1.1.mga5
bind-utils-9.10.3.P4-1.1.mga5
bind-devel-9.10.3.P4-1.1.mga5
bind-doc-9.10.3.P4-1.1.mga5

from bind-9.10.3.P4-1.1.mga5.src.rpm

Blocks: (none) => 10880
Assignee: guillomovitch => qa-bugs
Whiteboard: (none) => has_procedure

Comment 5 Lewis Smith 2016-09-30 20:47:45 CEST 
Testing M5-64 using the simple procedure given:
 https://bugs.mageia.org/show_bug.cgi?id=9163#c8

BEFORE the update:
 bind-9.10.3.P4-1.mga5
 bind-sdb-9.10.3.P4-1.mga5
 bind-utils-9.10.3.P4-1.mga5

# systemctl start named.service
# dig @localhost mageia.org

; <<>> DiG 9.10.3-P4 <<>> @localhost mageia.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59104
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mageia.org.			IN	A

;; ANSWER SECTION:
mageia.org.		1800	IN	A	217.70.188.116

;; AUTHORITY SECTION:
mageia.org.		86400	IN	NS	ns1.mageia.org.
mageia.org.		86400	IN	NS	ns0.mageia.org.

;; ADDITIONAL SECTION:
ns0.mageia.org.		86400	IN	A	212.85.158.146
ns1.mageia.org.		86400	IN	A	95.142.164.207

;; Query time: 955 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Gwe Med 30 20:35:19 CEST 2016
;; MSG SIZE  rcvd: 123

# systemctl stop named.service         [Safety first for the update]

AFTER the update:
 bind-9.10.3.P4-1.1.mga5
 bind-sdb-9.10.3.P4-1.1.mga5
 bind-utils-9.10.3.P4-1.1.mga5

# systemctl start named.service
# dig @localhost mageia.org
Output essentially identical to previous.
Update seems OK.

CC: (none) => lewyssmith
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Dave Hodgins 2016-10-04 13:25:33 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2016-10-04 14:21:38 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0332.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.