ISC has issued an advisory on November 20: https://kb.isc.org/docs/cve-2019-6477 The issue is fixed upstream in 9.11.13: https://downloads.isc.org/isc/bind9/9.11.13/RELEASE-NOTES-bind-9.11.13.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Assigning globally of necessity.
Assignee: bugsquad => pkg-bugs
Assignee: pkg-bugs => lists.jjorgeCC: (none) => lists.jjorge
Assignee: lists.jjorge => guillomovitch
Sorry I thought it had no maintainer, leaving it to the maintainer.
Status: NEW => ASSIGNED
Ubuntu has issued an advisory for this on November 21: https://usn.ubuntu.com/4197-1/
Fedora has issued an advisory for this on November 29: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TAYHC7OZCN6L6SUFSQGMCJ5VQZZ4WPEC/
Severity: normal => major
bind-9.11.13-1.mga8 uploaded for Cauldron by Guillaume 6 weeks ago.
Status comment: (none) => Fixed upstream in 9.11.13Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
RedHat has issued an advisory for this on April 28: https://access.redhat.com/errata/RHSA-2020:1845
ISC has issued advisories on May 19: https://kb.isc.org/docs/cve-2020-8616 https://kb.isc.org/docs/cve-2020-8617 The issues are fixed upstream in 9.11.19: https://downloads.isc.org/isc/bind9/9.11.19/RELEASE-NOTES-bind-9.11.19.html Patches for all of these issues are at: https://downloads.isc.org/isc/bind9/9.11.13/patches/ https://downloads.isc.org/isc/bind9/9.11.19/patches/
Whiteboard: (none) => MGA7TOOVersion: 7 => CauldronStatus comment: Fixed upstream in 9.11.13 => Fixed upstream in 9.11.19Summary: bind new security issue CVE-2019-6477 => bind new security issues CVE-2019-6477 and CVE-2020-861[67]Source RPM: bind-9.11.9-2.mga8.src.rpm => bind-9.11.6-1.1.mga7.src.rpm
Debian and Ubuntu have issued advisories for this on May 19: https://www.debian.org/security/2020/dsa-4689 https://usn.ubuntu.com/4365-1/
Guillaume has built bind-9.11.6-1.1.mga7 with the needed patches. bind-9.11.6-1.1.mga7 bind-sdb-9.11.6-1.1.mga7 bind-utils-9.11.6-1.1.mga7 bind-dnssec-utils-9.11.6-1.1.mga7 libdns1105-9.11.6-1.1.mga7 libirs161-9.11.6-1.1.mga7 libisc1100-9.11.6-1.1.mga7 libbind9_161-9.11.6-1.1.mga7 liblwres161-9.11.6-1.1.mga7 libisccc161-9.11.6-1.1.mga7 libisccfg163-9.11.6-1.1.mga7 bind-devel-9.11.6-1.1.mga7 bind-chroot-9.11.6-1.1.mga7 bind-sdb-chroot-9.11.6-1.1.mga7 python3-bind-9.11.6-1.1.mga7 Now we just need Cauldron updated to 9.11.19.
I'll wait for Fedora for 9.11.19, they are way too many patches to rebase first.
they have now Guillaume :)
CC: (none) => mageia
Mageia 7 update in Comment 9. Advisory to come.
Status comment: Fixed upstream in 9.11.19 => (none)Version: Cauldron => 7CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugsWhiteboard: MGA7TOO => (none)
Advisory: ======================== Updated bind packages fix security vulnerabilities: It was discovered that Bind incorrectly handled certain TCP-pipelined queries. A remote attacker could possibly use this issue to cause Bind to consume resources, resulting in a denial of service (CVE-2019-6477). Lior Shafir, Yehuda Afek, and Anat Bremler-Barr discovered that Bind incorrectly limited certain fetches. A remote attacker could possibly use this issue to cause Bind to consume resources, leading to a denial of service, or possibly use Bind to perform a reflection attack (CVE-2020-8616). Tobias Klein discovered that Bind incorrectly handled checking TSIG validity. A remote attacker could use this issue to cause Bind to crash, resulting in a denial of service, or possibly perform other attacks (CVE-2020-8617). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6477 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8616 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8617 https://kb.isc.org/docs/cve-2019-6477 https://kb.isc.org/docs/cve-2020-8616 https://kb.isc.org/docs/cve-2020-8617 https://usn.ubuntu.com/4197-1/ https://usn.ubuntu.com/4365-1/
MGA7-64 Plasma on Lenovo B50 No installation issues. As client accessing my own DNS server in the LAN:all OK. But still the same issue as in bug 24422: the default installation does not point to the chrooted environment which is configured when using MCC or webmin to populate the server records. I'll leave the decision to OK this update to others, I find this unacceptable.
CC: (none) => herman.viaene
yes but guillaume told he wants to udpate to 9.11.19. I think we can wait
I mentionned version 9.11.19 for cauldron only, I don't see the point of pushing a new version in mageia 7. Regarding the inconsistency issue with MCC and Webmin, this is not a regression and should not block security update. This kind of generic QA issues would be better handled at release time, not during the lifetime of the distribution. And regarding the issue itself, the problem comes from those configuration tools making assumptions out of their control about default server installation path. Unless new chroot path is proven to be an explicit FHS (or other similar standard), I think it is a safer option to align with other distribution practices (especially when they are actually the upstream for package maintenance...) rather than on undocumented local distribution tools practices. Which means than MCC and Webmin should get updated, not bind package.
my bad i misunderstood :) so let's go QA :)
I understand Guillaume's point that it is not opportune to block this update for the reason I brought up. And I do not mind what solution is finally taken. My frustration is that M6 was consistent in the use of the chroot option. M7 is a mixed bag. I'll keep that in mind for M8.
Nothing to add, so let go.
Whiteboard: (none) => MGA7-64-OK
All right then, validating. Advisory in Comment 13.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0259.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED