ISC has issued an advisory on July 18: https://kb.isc.org/article/AA-01393 The issue is fixed in 9.10.4-P2: https://kb.isc.org/article/AA-01396 Update checked into Cauldron SVN, freeze push request coming soon. Mageia 5 is also affected. This sounds like a minor issue that would impact very few users of this package.
Whiteboard: (none) => MGA5TOO
bind-9.10.4.P2-1.mga6 was pushed to cauldron by tmb
CC: (none) => marja11Version: Cauldron => 5Assignee: bugsquad => guillomovitchWhiteboard: MGA5TOO => (none)
URL: (none) => http://lwn.net/Vulnerabilities/695097/
ISC has issued an advisory today (September 27): https://kb.isc.org/article/AA-01419 Freeze push requested for Cauldron. We should update Mageia 5 this time. The issue is fixed in 9.10.4-P3: https://kb.isc.org/article/AA-01424
Summary: bind new security issue CVE-2016-2775 => bind new security issues CVE-2016-2775 and CVE-2016-2776
LWN reference for CVE-2016-2776: http://lwn.net/Vulnerabilities/702118/ Distro advisories for this: https://rhn.redhat.com/errata/RHSA-2016-1944.html https://www.debian.org/security/2016/dsa-3680 https://lists.opensuse.org/opensuse-updates/2016-09/msg00103.html http://www.ubuntu.com/usn/usn-3088-1 We should be able to get patches for these issues from someone. This new CVE is a high severity issue, so we should address this soon.
Severity: normal => critical
Patched package uploaded for Mageia 5. I added these commits: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=38cc2d14e218e536e0102fa70deef99461354232 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=9dd582167a8e64917fee9e8343769e09dce6cd1e Testing procedure: similar to https://bugs.mageia.org/show_bug.cgi?id=9163#c8 Advisory: ======================== Updated bind packages fix security vulnerabilities: The lwresd component in BIND (which is not enabled by default) could crash while processing an overlong request name. This could lead to a denial of service (CVE-2016-2775). A crafted query could crash the BIND name server daemon, leading to a denial of service. All server roles (authoritative, recursive and forwarding) in default configurations are affected (CVE-2016-2776). A conflict between the bind and bind-doc packages has also been fixed (mga#10880). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776 https://kb.isc.org/article/AA-01393 https://kb.isc.org/article/AA-01419 https://www.debian.org/security/2016/dsa-3680 https://bugs.mageia.org/show_bug.cgi?id=10880 https://bugs.mageia.org/show_bug.cgi?id=18983 ======================== Updated packages in core/updates_testing: ======================== bind-9.10.3.P4-1.1.mga5 bind-sdb-9.10.3.P4-1.1.mga5 bind-utils-9.10.3.P4-1.1.mga5 bind-devel-9.10.3.P4-1.1.mga5 bind-doc-9.10.3.P4-1.1.mga5 from bind-9.10.3.P4-1.1.mga5.src.rpm
Blocks: (none) => 10880Assignee: guillomovitch => qa-bugsWhiteboard: (none) => has_procedure
Testing M5-64 using the simple procedure given: https://bugs.mageia.org/show_bug.cgi?id=9163#c8 BEFORE the update: bind-9.10.3.P4-1.mga5 bind-sdb-9.10.3.P4-1.mga5 bind-utils-9.10.3.P4-1.mga5 # systemctl start named.service # dig @localhost mageia.org ; <<>> DiG 9.10.3-P4 <<>> @localhost mageia.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59104 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 217.70.188.116 ;; AUTHORITY SECTION: mageia.org. 86400 IN NS ns1.mageia.org. mageia.org. 86400 IN NS ns0.mageia.org. ;; ADDITIONAL SECTION: ns0.mageia.org. 86400 IN A 212.85.158.146 ns1.mageia.org. 86400 IN A 95.142.164.207 ;; Query time: 955 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Gwe Med 30 20:35:19 CEST 2016 ;; MSG SIZE rcvd: 123 # systemctl stop named.service [Safety first for the update] AFTER the update: bind-9.10.3.P4-1.1.mga5 bind-sdb-9.10.3.P4-1.1.mga5 bind-utils-9.10.3.P4-1.1.mga5 # systemctl start named.service # dig @localhost mageia.org Output essentially identical to previous. Update seems OK.
CC: (none) => lewyssmithWhiteboard: has_procedure => has_procedure MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0332.html
Status: NEW => RESOLVEDResolution: (none) => FIXED