Upstream has issued advisories today (January 11): https://kb.isc.org/article/AA-01439 https://kb.isc.org/article/AA-01440 https://kb.isc.org/article/AA-01441 https://kb.isc.org/article/AA-01442 The issues are fixed in 9.10.4-P5: https://kb.isc.org/article/AA-01447 Freeze push requested for Cauldron. We'll need patches for Mageia 5.
Assigning to registered maintainer.
CC: (none) => marja11Assignee: bugsquad => guillomovitch
LWN reference for CVE-2016-9778: https://lwn.net/Vulnerabilities/711463/ Debian and Ubuntu have issued advisories for the other issues on January 11 and 12: https://www.debian.org/security/2017/dsa-3758 https://www.ubuntu.com/usn/usn-3172-1/ For some reason, they both believe that CVE-2016-9778 only affects 9.11.0, even though that's not what the upstream advisory says.
URL: (none) => https://lwn.net/Vulnerabilities/711457/
BIND 9.10.4-P6 has been released on February 8: https://kb.isc.org/article/AA-01455 It fixes CVE-2017-3135: https://kb.isc.org/article/AA-01453 It also fixes a regression from the previous security update. Freeze push requested for Cauldron.
Summary: bind new security issues CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2016-9778 => bind new security issues CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2016-9778, CVE-2017-3135
LWN reference for CVE-2017-3135: https://lwn.net/Vulnerabilities/714256/
Upstream has issued advisories on April 12: https://kb.isc.org/article/AA-01465 https://kb.isc.org/article/AA-01466 https://kb.isc.org/article/AA-01471 The issues are fixed in 9.10.4-P8: https://kb.isc.org/article/AA-01484 SUSE has issued an advisory for this on April 13: https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00016.html Freeze push requested for Cauldron.
Summary: bind new security issues CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2016-9778, CVE-2017-3135 => bind new security issues CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2016-9778, CVE-2017-313[5-8]
Warning about trying to backport the CVE-2017-3137 change: http://openwall.com/lists/oss-security/2017/04/17/5 We should probably just sync the package with Cauldron now.
Upstream has issued advisories on June 29: https://kb.isc.org/article/AA-01503 https://kb.isc.org/article/AA-01504 The issues are fixed in 9.10.5-P2: https://kb.isc.org/article/AA-01508 Ubuntu has issued an advisory for this on June 29: https://www.ubuntu.com/usn/usn-3346-1/ Freeze push requested for Cauldron.
Summary: bind new security issues CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2016-9778, CVE-2017-313[5-8] => bind new security issues CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2016-9778, CVE-2017-313[5-8], CVE-2017-314[23]
9.10.5-P3 has been released today (July 8), fixing a regression in 9.10.5-P2: https://ftp.isc.org/isc/bind9/9.10.5-P3/RELEASE-NOTES-bind-9.10.5-P3.html Once Mageia 6 is open, we should update it and sync Mageia 5 with that.
Advisory (Mageia 5): ======================== Updated bind packages fix security vulnerabilities: It was discovered that Bind incorrectly handled certain malformed responses to an ANY query. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service (CVE-2016-9131). It was discovered that Bind incorrectly handled certain malformed responses to an ANY query. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service (CVE-2016-9147). It was discovered that Bind incorrectly handled certain malformed DS record responses. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service (CVE-2016-9444). An error in handling certain queries can cause an assertion failure when a server is using the nxdomain-redirect feature to cover a zone for which it is also providing authoritative service. A vulnerable server could be intentionally stopped by an attacker if it was using a configuration that met the criteria for the vulnerability and if the attacker could cause it to accept a query that possessed the required attributes (CVE-2016-9778). It was discovered that Bind incorrectly handled rewriting certain query responses when using both DNS64 and RPZ. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service (CVE-2017-3135). Oleg Gorokhov discovered that in some situations, Bind did not properly handle DNS64 queries. An attacker could use this to cause a denial of service (CVE-2017-3136). It was discovered that the resolver in Bind made incorrect assumptions about ordering when processing responses containing a CNAME or DNAME. An attacker could use this cause a denial of service (CVE-2017-3137). Mike Lalumiere discovered that in some situations, Bind did not properly handle invalid operations requested via its control channel. An attacker with access to the control channel could cause a denial of service (CVE-2017-3138). Clément Berthaux discovered that Bind did not correctly check TSIG authentication for zone transfer requests. An attacker could use this to improperly transfer entire zones (CVE-2017-3142). Clément Berthaux discovered that Bind did not correctly check TSIG authentication for zone update requests. An attacker could use this to improperly perform zone updates (CVE-2017-3143). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9131 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9147 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9444 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3135 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3136 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3137 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3143 https://kb.isc.org/article/AA-01439 https://kb.isc.org/article/AA-01440 https://kb.isc.org/article/AA-01441 https://kb.isc.org/article/AA-01442 https://kb.isc.org/article/AA-01453 https://kb.isc.org/article/AA-01465 https://kb.isc.org/article/AA-01466 https://kb.isc.org/article/AA-01471 https://kb.isc.org/article/AA-01503 https://kb.isc.org/article/AA-01504 https://kb.isc.org/article/AA-01447 https://kb.isc.org/article/AA-01455 https://kb.isc.org/article/AA-01484 https://kb.isc.org/article/AA-01508 https://ftp.isc.org/isc/bind9/9.10.5-P3/RELEASE-NOTES-bind-9.10.5-P3.html https://usn.ubuntu.com/usn/usn-3172-1/ https://usn.ubuntu.com/usn/usn-3201-1/ https://usn.ubuntu.com/usn/usn-3259-1/ ======================== Updated packages in core/updates_testing: ======================== bind-9.10.5.P3-1.mga5 bind-sdb-9.10.5.P3-1.mga5 bind-utils-9.10.5.P3-1.mga5 bind-devel-9.10.5.P3-1.mga5 bind-doc-9.10.5.P3-1.mga5 python-bind-9.10.5.P3-1.mga5 from bind-9.10.5.P3-1.mga5.src.rpm Advisory (bugfix-only advisory for Mageia 6): ---------------------------------------- The bind package has been updated to version 9.10.5-P3 to fix a regression. References: https://ftp.isc.org/isc/bind9/9.10.5-P3/RELEASE-NOTES-bind-9.10.5-P3.html ---------------------------------------- Updates packages in core/updates_testing: ---------------------------------------- bind-9.10.5.P3-1.mga6 bind-sdb-9.10.5.P3-1.mga6 bind-utils-9.10.5.P3-1.mga6 bind-devel-9.10.5.P3-1.mga6 bind-doc-9.10.5.P3-1.mga6 python-bind-9.10.5.P3-1.mga6 from bind-9.10.5.P3-1.mga6.src.rpm
CC: (none) => guillomovitchVersion: 5 => 6Assignee: guillomovitch => qa-bugsWhiteboard: (none) => MGA5TOO
To prioritise.
Tested both arches, both releases. Advisories commited to svn. Validating the update.
Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK MGA5-32-OK MGA6-32-OK MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2017-0140.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0478.html