Bug 23413 - bind new security issue CVE-2018-5740
Summary: bind new security issue CVE-2018-5740
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga6-64-ok, mga6-32-ok
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-08-09 14:12 CEST by David Walser
Modified: 2018-08-24 01:36 CEST (History)
5 users (show)

See Also:
Source RPM: bind-9.11.3-3.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-08-09 14:12:11 CEST 
ISC has issued an advisory on August 8:
https://kb.isc.org/article/AA-01639

The issue is fixed upstream in 9.11.4-P1:
https://kb.isc.org/article/AA-01644

It is also fixed in 9.10.8-P1:
https://kb.isc.org/article/AA-01643

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-09 14:12:24 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-09 20:57:49 CEST 
Assigning to the registered maintainer.

Assignee: bugsquad => guillomovitch
CC: (none) => marja11

Comment 2 Guillaume Rousse 2018-08-12 18:04:13 CEST 
Fixed in cauldron by 9.11.4.P1-1..mga7
David Walser 2018-08-12 18:32:27 CEST

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 3 Guillaume Rousse 2018-08-13 19:30:15 CEST 
bind-9.10.8.P1-1.mga6 just submitted in updates_testing.
Comment 4 David Walser 2018-08-13 19:58:08 CEST 
Thanks Guillaume!

Advisory:
========================

Updated bind packages fix security vulnerability:

In ISC BIND, a defect in thie "deny-answer-aliases" feature makes it easy,
when the feature is in use, to experience an assertion failure in name.c.
Accidental or deliberate triggering of this defect will cause a REQUIRE
assertion failure in named, causing the named process to stop execution and
resulting in denial of service to clients (CVE-2018-5740).

Note that only servers which have explicitly enabled the "deny-answer-aliases"
feature are at risk and disabling the feature prevents exploitation.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5740
https://kb.isc.org/article/AA-01639
https://kb.isc.org/article/AA-01643
========================

Updated packages in core/updates_testing:
========================
bind-9.10.8.P1-1.mga6
bind-sdb-9.10.8.P1-1.mga6
bind-utils-9.10.8.P1-1.mga6
bind-devel-9.10.8.P1-1.mga6
bind-doc-9.10.8.P1-1.mga6
python-bind-9.10.8.P1-1.mga6

from bind-9.10.8.P1-1.mga6.src.rpm

Assignee: guillomovitch => qa-bugs
CC: (none) => guillomovitch

Comment 5 Herman Viaene 2018-08-18 11:55:13 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
On first test only installed bind-utils and bind-doc on this feeble laptop.
Ran dig and nslookup commands against my own DNS-server on my home network. Answers are OK.
I'll wait a little if someone else does the server part before I venture putting the server on this laptop and change its network settings.

CC: (none) => herman.viaene

Thomas Backlund 2018-08-19 19:30:39 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Herman Viaene 2018-08-21 14:33:20 CEST 
Installed server side on the laptop. Changed in MCC the network setting to a network xxx.yyy
Used  webmin to create an internal bind server and created record for itself and a (not existing) mach17 address.
At CLI:
$ nslookup mach17.xxx.yyy
Server:		192.168.2.6
Address:	192.168.2.6#53

Name:	mach17.xxx.yyy
Address: 192.168.2.17

So bind seems to do what I wanted.

Whiteboard: (none) => MGA6-32-OK

Comment 7 Thomas Backlund 2018-08-24 01:00:57 CEST 
Works on mga infra, validating

Keywords: (none) => validated_update
Whiteboard: MGA6-32-OK => mga6-64-ok, mga6-32-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2018-08-24 01:36:12 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0353.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.