+++ This bug was initially created as a clone of Bug #28873 +++ ISC has issued advisories on April 28: https://kb.isc.org/v1/docs/cve-2021-25214 The issues are fixed upstream in 9.11.31. Debian has issued an advisory for this on May 1: https://www.debian.org/security/2021/dsa-4909 We fixed CVE-2021-25215 in Bug 28873, but didn't fix CVE-2021-25214. Debian fixed both in this commit: https://salsa.debian.org/dns-team/bind9/-/commit/ffe31aafbfbc51776cbfa96183ea4d467fe2f818
Ubuntu also fixed this issue in 9.11.3 on April 29: https://ubuntu.com/security/notices/USN-4929-1
Advisory: ======================== Updated bind packages fix security vulnerability: Incremental zone transfers (IXFR) provide a way of transferring changed portion(s) of a zone between servers. An IXFR stream containing SOA records with an owner name other than the transferred zone's apex may cause the receiving named server to inadvertently remove the SOA record for the zone in question from the zone database. This leads to an assertion failure when the next SOA refresh query for that zone is made (CVE-2021-25214). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25214 https://kb.isc.org/v1/docs/cve-2021-25214 https://www.debian.org/security/2021/dsa-4909 ======================== Updated packages in core/updates_testing: ======================== bind-9.11.6-1.5.mga7 bind-sdb-9.11.6-1.5.mga7 bind-utils-9.11.6-1.5.mga7 bind-dnssec-utils-9.11.6-1.5.mga7 libdns1105-9.11.6-1.5.mga7 libirs161-9.11.6-1.5.mga7 libisc1100-9.11.6-1.5.mga7 libbind9_161-9.11.6-1.5.mga7 liblwres161-9.11.6-1.5.mga7 libisccc161-9.11.6-1.5.mga7 libisccfg163-9.11.6-1.5.mga7 bind-devel-9.11.6-1.5.mga7 bind-chroot-9.11.6-1.5.mga7 bind-sdb-chroot-9.11.6-1.5.mga7 python3-bind-9.11.6-1.5.mga7 from bind-9.11.6-1.5.mga7.src.rpm
Assignee: guillomovitch => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues. Worked OK as client to my own DNS-server on my desktop machine. Used webmin to define a small DNS-server, and after the usual fiddling with the location of the conf and zone files, the server responded OK. # systemctl -l status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2021-06-22 15:18:57 CEST; 3s ago Process: 6255 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone file> Process: 6257 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 6258 (named) Tasks: 7 (limit: 4915) Memory: 55.9M CGroup: /system.slice/named.service └─6258 /usr/sbin/named -u named -c /etc/named.conf Jun 22 15:18:57 mach5.hviaene.thuis named[6258]: configuring command channel from '/etc/rndc.key' Jun 22 15:18:57 mach5.hviaene.thuis named[6258]: command channel listening on 127.0.0.1#953 Jun 22 15:18:57 mach5.hviaene.thuis named[6258]: configuring command channel from '/etc/rndc.key' Jun 22 15:18:57 mach5.hviaene.thuis named[6258]: command channel listening on ::1#953 Jun 22 15:18:57 mach5.hviaene.thuis named[6258]: the working directory is not writable Jun 22 15:18:57 mach5.hviaene.thuis named[6258]: managed-keys-zone: loaded serial 0 Jun 22 15:18:57 mach5.hviaene.thuis named[6258]: zone hviaene.thuis/IN: loaded serial 1624367248 Jun 22 15:18:57 mach5.hviaene.thuis named[6258]: all zones loaded Jun 22 15:18:57 mach5.hviaene.thuis named[6258]: running Jun 22 15:18:57 mach5.hviaene.thuis systemd[1]: Started Berkeley Internet Name Domain (DNS). Good enough for me.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0275.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED