Bug 28873 - bind new security issues CVE-2021-2521[4-6]
Summary: bind new security issues CVE-2021-2521[4-6]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA8-64-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-03 22:52 CEST by David Walser
Modified: 2021-05-28 00:18 CEST (History)
4 users (show)

See Also:
Source RPM: bind-9.11.27-1.1.mga8.src.rpm
CVE: CVE-2021-2521[4-6]
Status comment:


Attachments

Description David Walser 2021-05-03 22:52:10 CEST
ISC has issued advisories on April 28:
https://kb.isc.org/v1/docs/cve-2021-25214
https://kb.isc.org/v1/docs/cve-2021-25215
https://kb.isc.org/v1/docs/cve-2021-25216

The issues are fixed upstream in 9.11.31.

RedHat has issued an advisory for one of these issues on April 29:
https://access.redhat.com/errata/RHSA-2021:1469

Mageia 7 is also affected.
David Walser 2021-05-03 22:52:21 CEST

Status comment: (none) => Fixed upstream in 9.11.31
Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2021-05-04 08:05:45 CEST
Assigning to Guillaume, maintainer for bind.

Assignee: bugsquad => guillomovitch

Comment 2 David Walser 2021-05-15 00:13:49 CEST
Announcement thread with a little more information:
https://www.openwall.com/lists/oss-security/2021/04/29/1
Comment 3 David Walser 2021-05-15 21:20:25 CEST
Update built by Guillaume for Mageia 8 (forgot to remove subrel, oops).  Nothing for Mageia 7 yet.

bind-9.11.31-1.1.mga8
libdns1114-9.11.31-1.1.mga8
libdns_pkcs11_1114-9.11.31-1.1.mga8
bind-devel-9.11.31-1.1.mga8
bind-sdb-9.11.31-1.1.mga8
bind-pkcs11-9.11.31-1.1.mga8
bind-utils-9.11.31-1.1.mga8
bind-pkcs11-utils-9.11.31-1.1.mga8
libisc_pkcs11_1107-9.11.31-1.1.mga8
libisc1107-9.11.31-1.1.mga8
python3-bind-9.11.31-1.1.mga8
bind-dnssec-utils-9.11.31-1.1.mga8
libisccfg163-9.11.31-1.1.mga8
liblwres161-9.11.31-1.1.mga8
libbind9_161-9.11.31-1.1.mga8
bind-pkcs11-devel-9.11.31-1.1.mga8
libisccc161-9.11.31-1.1.mga8
bind-sdb-chroot-9.11.31-1.1.mga8
libirs161-9.11.31-1.1.mga8
bind-chroot-9.11.31-1.1.mga8
Comment 4 Guillaume Rousse 2021-05-17 19:21:33 CEST
I asked for an admin to remove those packages, so as to submit them again with correct release.

For mageia 7, the version change 9.11.6 -> 9.11.31 seems a bit excessive for a security update, and I couldn't find suitable patches excepted for CVE-2021-25215.
Comment 5 Thomas Backlund 2021-05-17 20:12:22 CEST
The "extra" subrel does not really matter so just go ahead and test it...
Comment 6 Aurelien Oudelet 2021-05-20 18:48:02 CEST
(In reply to Guillaume Rousse from comment #4)
> I asked for an admin to remove those packages, so as to submit them again
> with correct release.
> 
> For mageia 7, the version change 9.11.6 -> 9.11.31 seems a bit excessive for
> a security update, and I couldn't find suitable patches excepted for
> CVE-2021-25215.

(In reply to Thomas Backlund from comment #5)
> The "extra" subrel does not really matter so just go ahead and test it...

So, Assigning to QA

Advisory soon.

Assignee: guillomovitch => qa-bugs
CC: (none) => ouaurelien

Comment 7 David Walser 2021-05-20 20:16:46 CEST
Even for 9.11.26 RedHat only fixed CVE-2021-25215, so I guess that's fine (mga7).
Comment 8 Aurelien Oudelet 2021-05-22 15:58:08 CEST
Advisory:
========================

Updated bind packages fix security vulnerabilities:

A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly(CVE-2021-25214).

An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself (CVE-2021-25215).

A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack (CVE-2021-25216).

References:
 - https://access.redhat.com/errata/RHSA-2021:1469
 - https://kb.isc.org/v1/docs/cve-2021-25214
 - https://kb.isc.org/v1/docs/cve-2021-25215
 - https://kb.isc.org/v1/docs/cve-2021-25216
 - https://www.openwall.com/lists/oss-security/2021/04/29/1
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25214
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25215
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25216
========================

Updated packages in 8/core/updates_testing:
========================
bind-9.11.31-1.1.mga8
lib(64)dns1114-9.11.31-1.1.mga8
lib(64)dns_pkcs11_1114-9.11.31-1.1.mga8
bind-devel-9.11.31-1.1.mga8
bind-sdb-9.11.31-1.1.mga8
bind-pkcs11-9.11.31-1.1.mga8
bind-utils-9.11.31-1.1.mga8
bind-pkcs11-utils-9.11.31-1.1.mga8
lib(64)isc_pkcs11_1107-9.11.31-1.1.mga8
lib(64)isc1107-9.11.31-1.1.mga8
python3-bind-9.11.31-1.1.mga8
bind-dnssec-utils-9.11.31-1.1.mga8
lib(64)isccfg163-9.11.31-1.1.mga8
lib(64)lwres161-9.11.31-1.1.mga8
lib(64)bind9_161-9.11.31-1.1.mga8
bind-pkcs11-devel-9.11.31-1.1.mga8
lib(64)isccc161-9.11.31-1.1.mga8
bind-sdb-chroot-9.11.31-1.1.mga8
lib(64)irs161-9.11.31-1.1.mga8
bind-chroot-9.11.31-1.1.mga8

from SRPM:
bind-9.11.31-1.1.mga8.src.rpm
Comment 9 Aurelien Oudelet 2021-05-22 16:07:53 CEST
$ inxi -Sxx
System:
Host: mageia.local Kernel: 5.10.37-desktop-2.mga8 x86_64 bits: 64 compiler: gcc v: 10.3.0 
Desktop: KDE Plasma 5.20.4 tk: Qt 5.15.2 wm: kwin_x11 dm: SDDM Distro: Mageia 8 mga8

Updating these RPMs to:

- bind-utils-9.11.31-1.1.mga8.x86_64
- lib64bind9_161-9.11.31-1.1.mga8.x86_64
- lib64dns1114-9.11.31-1.1.mga8.x86_64
- lib64irs161-9.11.31-1.1.mga8.x86_64
- lib64isc1107-9.11.31-1.1.mga8.x86_64
- lib64isccfg163-9.11.31-1.1.mga8.x86_64
- lib64lwres161-9.11.31-1.1.mga8.x86_64

They are by default installed on Mageia 8.

Update OK.
Resolving DNS is OK, even after a reboot.

MGA8-64-OK

Stauts for Mageia 7?

CVE: (none) => CVE-2021-2521[4-6]
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK

Comment 10 David Walser 2021-05-22 17:29:41 CEST
Mageia 7 advisory should only have CVE-2021-25215.
David Walser 2021-05-22 17:29:56 CEST

Status comment: Fixed upstream in 9.11.31 => (none)

Comment 11 Dave Hodgins 2021-05-22 23:02:57 CEST
So separate advisories for m7 and m8. The m8 advisory is in comment 8. For m7 ...

Advisory:
========================
Updated bind packages fix security vulnerabilities:

An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself (CVE-2021-25215).

References:
 - https://access.redhat.com/errata/RHSA-2021:1469
 - https://kb.isc.org/v1/docs/cve-2021-25215
 - https://www.openwall.com/lists/oss-security/2021/04/29/1
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25215

With srpm bind-9.11.6-1.4.mga7.src.rpm

Correct?

CC: (none) => davidwhodgins

Comment 12 Dave Hodgins 2021-05-22 23:18:39 CEST
Adding the MGA7-64-OK tag. Been using it with no regressions noticed since
2021-05-17T15:11:04 EDT

Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OK

Comment 13 Aurelien Oudelet 2021-05-23 16:31:29 CEST
Advisory committed.
Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 14 Aurelien Oudelet 2021-05-23 17:08:24 CEST
Other test:
$ rpm -qa | grep bind
lib64bind9_161-9.11.31-1.1.mga8
python3-bind-9.11.31-1.1.mga8
bind-utils-9.11.31-1.1.mga8
bind-9.11.31-1.1.mga8
bind-dnssec-utils-9.11.31-1.1.mga8

Using bind to share Internet from an Ethernet connection to a WiFi connection with Magiea Control Centre "Share the Internet connection with other local machines" (in Network & Internet).

$ systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
     Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
     Active: active (running) since Sun 2021-05-23 17:03:16 CEST; 1min 19s ago
   Main PID: 9924 (named)
      Tasks: 7 (limit: 4693)
     Memory: 55.8M
        CPU: 57ms
     CGroup: /system.slice/named.service
             └─9924 /usr/sbin/named -u named -c /etc/named.conf

mai 23 17:03:16 localhost named[9924]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
mai 23 17:03:16 localhost named[9924]: resolver priming query complete

Give real OK.
Comment 15 Mageia Robot 2021-05-23 20:46:27 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0220.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 16 David Walser 2021-05-28 00:18:14 CEST
Mageia 7 was not vulnerable to CVE-2021-25216, as it already had the --disable-isc-spnego compile option.

CVE-2021-25214 appears to be fixable, as Debian fixed it.

Filed Bug 28978 for that.

CC: (none) => guillomovitch


Note You need to log in before you can comment on or make changes to this bug.