Upstream has issued an advisory today (November 1): https://kb.isc.org/article/AA-01434 It is fixed upstream in 9.10.4-P4. Freeze push requested for Cauldron. Will need a vendor patch for Mageia 5.
Ubuntu has issued an advisory for this today (November 1): https://www.ubuntu.com/usn/usn-3119-1/ Patched package uploaded for Mageia 5. Testing procedure: similar to https://bugs.mageia.org/show_bug.cgi?id=9163#c8 Advisory: ======================== Updated bind packages fix security vulnerability: Tony Finch and Marco Davids discovered that Bind incorrectly handled certain responses containing a DNAME answer. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service (CVE-2016-8864). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864 https://kb.isc.org/article/AA-01434 https://www.ubuntu.com/usn/usn-3119-1/ ======================== Updated packages in core/updates_testing: ======================== bind-9.10.3.P4-1.2.mga5 bind-sdb-9.10.3.P4-1.2.mga5 bind-utils-9.10.3.P4-1.2.mga5 bind-devel-9.10.3.P4-1.2.mga5 bind-doc-9.10.3.P4-1.2.mga5 from bind-9.10.3.P4-1.2.mga5.src.rpm
Assignee: bugsquad => qa-bugsWhiteboard: (none) => has_procedure
URL: (none) => http://lwn.net/Vulnerabilities/705362/
Trying this out on x86_64 first. There are no reproducers posted so the test will follow Claire's procedure as indicated in comment #1.
CC: (none) => tarazed25
Before updating installed the bind components. dnsmasq had to be removed before bind would install. There is a command in /usr/bin called bind9-config which is a symbolic link to multiarch-dispatch but the man page for bind9-config points to isc-config.sh. From the man pages: isc-config.sh prints information related to the installed version of ISC BIND, such as the compiler and linker flags required to compile and link programs that use ISC BIND libraries. bind is required by bind-sdb and clusterscripts-server The README file for bind-sdb gives: This is an attempt at an LDAP back-end for BIND 9 using the new simplified database interface "sdb". Other notes under /usr/share/doc indicate that bind-sdb is somewhat experimental. clusterscripts-server is not installed. Updated the packages as listed. To make the procedure clearer, named is the DNS server from bind and the dig command specifies the local DNS service which is now named. $ sudo systemctl start named $ dig @localhost mageia.org ; <<>> DiG 9.10.3-P4 <<>> @localhost mageia.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31238 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 217.70.188.116 ;; AUTHORITY SECTION: mageia.org. 86400 IN NS ns1.mageia.org. mageia.org. 86400 IN NS ns0.mageia.org. ;; ADDITIONAL SECTION: ns0.mageia.org. 86400 IN A 212.85.158.146 ns1.mageia.org. 86400 IN A 95.142.164.207 ;; Query time: 908 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Nov 03 19:08:56 GMT 2016 ;; MSG SIZE rcvd: 123 The output matches that posted in bug 9168 so 64-bits good.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Installed the packages on i586 vbox and then updated them. Started the named service and ran $ dig @localhost mageia.org and received the same data. Validating. Would sysadmin please push this to Core Updates?
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK
Hi, please upload the advisory
CC: (none) => mageia
(In reply to Nicolas Lécureuil from comment #5) > please upload the advisory Done.
CC: (none) => lewyssmithWhiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0365.html
Status: NEW => RESOLVEDResolution: (none) => FIXED