ISC has issued advisories on April 28: https://kb.isc.org/v1/docs/cve-2021-25214 https://kb.isc.org/v1/docs/cve-2021-25215 https://kb.isc.org/v1/docs/cve-2021-25216 The issues are fixed upstream in 9.11.31. RedHat has issued an advisory for one of these issues on April 29: https://access.redhat.com/errata/RHSA-2021:1469 Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 9.11.31Whiteboard: (none) => MGA7TOO
Assigning to Guillaume, maintainer for bind.
Assignee: bugsquad => guillomovitch
Announcement thread with a little more information: https://www.openwall.com/lists/oss-security/2021/04/29/1
Update built by Guillaume for Mageia 8 (forgot to remove subrel, oops). Nothing for Mageia 7 yet. bind-9.11.31-1.1.mga8 libdns1114-9.11.31-1.1.mga8 libdns_pkcs11_1114-9.11.31-1.1.mga8 bind-devel-9.11.31-1.1.mga8 bind-sdb-9.11.31-1.1.mga8 bind-pkcs11-9.11.31-1.1.mga8 bind-utils-9.11.31-1.1.mga8 bind-pkcs11-utils-9.11.31-1.1.mga8 libisc_pkcs11_1107-9.11.31-1.1.mga8 libisc1107-9.11.31-1.1.mga8 python3-bind-9.11.31-1.1.mga8 bind-dnssec-utils-9.11.31-1.1.mga8 libisccfg163-9.11.31-1.1.mga8 liblwres161-9.11.31-1.1.mga8 libbind9_161-9.11.31-1.1.mga8 bind-pkcs11-devel-9.11.31-1.1.mga8 libisccc161-9.11.31-1.1.mga8 bind-sdb-chroot-9.11.31-1.1.mga8 libirs161-9.11.31-1.1.mga8 bind-chroot-9.11.31-1.1.mga8
I asked for an admin to remove those packages, so as to submit them again with correct release. For mageia 7, the version change 9.11.6 -> 9.11.31 seems a bit excessive for a security update, and I couldn't find suitable patches excepted for CVE-2021-25215.
The "extra" subrel does not really matter so just go ahead and test it...
(In reply to Guillaume Rousse from comment #4) > I asked for an admin to remove those packages, so as to submit them again > with correct release. > > For mageia 7, the version change 9.11.6 -> 9.11.31 seems a bit excessive for > a security update, and I couldn't find suitable patches excepted for > CVE-2021-25215. (In reply to Thomas Backlund from comment #5) > The "extra" subrel does not really matter so just go ahead and test it... So, Assigning to QA Advisory soon.
Assignee: guillomovitch => qa-bugsCC: (none) => ouaurelien
Even for 9.11.26 RedHat only fixed CVE-2021-25215, so I guess that's fine (mga7).
Advisory: ======================== Updated bind packages fix security vulnerabilities: A broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly(CVE-2021-25214). An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself (CVE-2021-25215). A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack (CVE-2021-25216). References: - https://access.redhat.com/errata/RHSA-2021:1469 - https://kb.isc.org/v1/docs/cve-2021-25214 - https://kb.isc.org/v1/docs/cve-2021-25215 - https://kb.isc.org/v1/docs/cve-2021-25216 - https://www.openwall.com/lists/oss-security/2021/04/29/1 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25214 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25215 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25216 ======================== Updated packages in 8/core/updates_testing: ======================== bind-9.11.31-1.1.mga8 lib(64)dns1114-9.11.31-1.1.mga8 lib(64)dns_pkcs11_1114-9.11.31-1.1.mga8 bind-devel-9.11.31-1.1.mga8 bind-sdb-9.11.31-1.1.mga8 bind-pkcs11-9.11.31-1.1.mga8 bind-utils-9.11.31-1.1.mga8 bind-pkcs11-utils-9.11.31-1.1.mga8 lib(64)isc_pkcs11_1107-9.11.31-1.1.mga8 lib(64)isc1107-9.11.31-1.1.mga8 python3-bind-9.11.31-1.1.mga8 bind-dnssec-utils-9.11.31-1.1.mga8 lib(64)isccfg163-9.11.31-1.1.mga8 lib(64)lwres161-9.11.31-1.1.mga8 lib(64)bind9_161-9.11.31-1.1.mga8 bind-pkcs11-devel-9.11.31-1.1.mga8 lib(64)isccc161-9.11.31-1.1.mga8 bind-sdb-chroot-9.11.31-1.1.mga8 lib(64)irs161-9.11.31-1.1.mga8 bind-chroot-9.11.31-1.1.mga8 from SRPM: bind-9.11.31-1.1.mga8.src.rpm
$ inxi -Sxx System: Host: mageia.local Kernel: 5.10.37-desktop-2.mga8 x86_64 bits: 64 compiler: gcc v: 10.3.0 Desktop: KDE Plasma 5.20.4 tk: Qt 5.15.2 wm: kwin_x11 dm: SDDM Distro: Mageia 8 mga8 Updating these RPMs to: - bind-utils-9.11.31-1.1.mga8.x86_64 - lib64bind9_161-9.11.31-1.1.mga8.x86_64 - lib64dns1114-9.11.31-1.1.mga8.x86_64 - lib64irs161-9.11.31-1.1.mga8.x86_64 - lib64isc1107-9.11.31-1.1.mga8.x86_64 - lib64isccfg163-9.11.31-1.1.mga8.x86_64 - lib64lwres161-9.11.31-1.1.mga8.x86_64 They are by default installed on Mageia 8. Update OK. Resolving DNS is OK, even after a reboot. MGA8-64-OK Stauts for Mageia 7?
CVE: (none) => CVE-2021-2521[4-6]Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
Mageia 7 advisory should only have CVE-2021-25215.
Status comment: Fixed upstream in 9.11.31 => (none)
So separate advisories for m7 and m8. The m8 advisory is in comment 8. For m7 ... Advisory: ======================== Updated bind packages fix security vulnerabilities: An assertion check can fail while answering queries for DNAME records that require the DNAME to be processed to resolve itself (CVE-2021-25215). References: - https://access.redhat.com/errata/RHSA-2021:1469 - https://kb.isc.org/v1/docs/cve-2021-25215 - https://www.openwall.com/lists/oss-security/2021/04/29/1 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25215 With srpm bind-9.11.6-1.4.mga7.src.rpm Correct?
CC: (none) => davidwhodgins
Adding the MGA7-64-OK tag. Been using it with no regressions noticed since 2021-05-17T15:11:04 EDT
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OK
Advisory committed. Validating.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
Other test: $ rpm -qa | grep bind lib64bind9_161-9.11.31-1.1.mga8 python3-bind-9.11.31-1.1.mga8 bind-utils-9.11.31-1.1.mga8 bind-9.11.31-1.1.mga8 bind-dnssec-utils-9.11.31-1.1.mga8 Using bind to share Internet from an Ethernet connection to a WiFi connection with Magiea Control Centre "Share the Internet connection with other local machines" (in Network & Internet). $ systemctl status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2021-05-23 17:03:16 CEST; 1min 19s ago Main PID: 9924 (named) Tasks: 7 (limit: 4693) Memory: 55.8M CPU: 57ms CGroup: /system.slice/named.service └─9924 /usr/sbin/named -u named -c /etc/named.conf mai 23 17:03:16 localhost named[9924]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted mai 23 17:03:16 localhost named[9924]: resolver priming query complete Give real OK.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0220.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Mageia 7 was not vulnerable to CVE-2021-25216, as it already had the --disable-isc-spnego compile option. CVE-2021-25214 appears to be fixable, as Debian fixed it. Filed Bug 28978 for that.
CC: (none) => guillomovitch