ISC has issued an advisory on February 17: https://kb.isc.org/docs/cve-2020-8625 The issue is fixed upstream in 9.11.28: https://downloads.isc.org/isc/bind9/9.11.28/patches Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Fixed upstream in 9.11.28
Summary: bind new security issue => bind new security issue CVE-2020-8625
Assigning to Guillaume, the registered & an active maintainer of 'bind'.
Assignee: bugsquad => guillomovitch
I wonder if the 9.11.28 set will be affected by this mess in the newer ones: https://seclists.org/oss-sec/2021/q1/169
They said the mess only affected 9.16 and 9.17.
The upstream patch for 9.11.28 applies correctly on 9.11.27 and 9.11.6, the version we have for mageia 8 and mageia 7, so I prefer to stick with current versions. I couldn't commit anything, tough, either in cauldron, mageia 8 update or mageia 7 update branches, as the subversion repository is currently restricted. I guess I have to wait for release to be finalised first.
The svn repository is now open, I just submitted update candidates for both mageia 7 and mageia 8: - bind-9.11.6-1.3.mga7 - bind-9.11.27-1.1.mga8
You should be able to push the Cauldron build now. Built so far: bind-9.11.6-1.3.mga7 bind-sdb-9.11.6-1.3.mga7 bind-utils-9.11.6-1.3.mga7 bind-dnssec-utils-9.11.6-1.3.mga7 libdns1105-9.11.6-1.3.mga7 libirs161-9.11.6-1.3.mga7 libisc1100-9.11.6-1.3.mga7 libbind9_161-9.11.6-1.3.mga7 liblwres161-9.11.6-1.3.mga7 libisccc161-9.11.6-1.3.mga7 libisccfg163-9.11.6-1.3.mga7 bind-devel-9.11.6-1.3.mga7 bind-chroot-9.11.6-1.3.mga7 bind-sdb-chroot-9.11.6-1.3.mga7 python3-bind-9.11.6-1.3.mga7 bind-9.11.27-1.1.mga8 libdns_pkcs11_1113-9.11.27-1.1.mga8 libdns1113-9.11.27-1.1.mga8 bind-devel-9.11.27-1.1.mga8 bind-sdb-9.11.27-1.1.mga8 bind-pkcs11-9.11.27-1.1.mga8 bind-utils-9.11.27-1.1.mga8 libisc_pkcs11_1107-9.11.27-1.1.mga8 bind-pkcs11-utils-9.11.27-1.1.mga8 libisc1107-9.11.27-1.1.mga8 python3-bind-9.11.27-1.1.mga8 bind-dnssec-utils-9.11.27-1.1.mga8 libisccfg163-9.11.27-1.1.mga8 libbind9_161-9.11.27-1.1.mga8 liblwres161-9.11.27-1.1.mga8 libisccc161-9.11.27-1.1.mga8 libirs161-9.11.27-1.1.mga8 bind-pkcs11-devel-9.11.27-1.1.mga8 bind-sdb-chroot-9.11.27-1.1.mga8 bind-chroot-9.11.27-1.1.mga8
bind-9.16.11-1.mga9 uploaded for Cauldron by Guillaume. Debian has issued an advisory for this on February 18: https://www.debian.org/security/2021/dsa-4857
CC: (none) => guillomovitchWhiteboard: MGA8TOO, MGA7TOO => MGA7TOOVersion: Cauldron => 8Status comment: Fixed upstream in 9.11.28 => (none)Assignee: guillomovitch => qa-bugs
Ubuntu has issued an advisory for this on February 18: https://ubuntu.com/security/notices/USN-4737-1
MGA7-64 MATE on PeaqC1011 No installation issues Ref bug 25724 e.a. for testing. Works OK as client, will make another attempt to make a very basic server, no guarantee....
CC: (none) => herman.viaene
Continuing from Comment 9 Used webmin to create a local nameserver and started it from there, resulting in # systemctl -l status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2021-03-01 16:52:44 CET; 4min 30s ago Process: 14012 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMED> Process: 14014 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 14015 (named) Tasks: 7 (limit: 2285) Memory: 56.7M CGroup: /system.slice/named.service └─14015 /usr/sbin/named -u named -c /etc/named.conf So OK for me, although I don't like running it in a non-rooted environment.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
Repeated same tests as in Comment 9 and 10 withy same results for M8 OK for me.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Validating. Needs an advisory.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory: ======================== Updated bind packages fix security vulnerability: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code (CVE-2020-8625). The default configuration is not vulnerable to this issue, but it is if the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options are set. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8625 https://kb.isc.org/docs/cve-2020-8625 https://www.debian.org/security/2021/dsa-4857
Advisory pushed to SVN.
CVE: (none) => CVE-2020-8625Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0110.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED