Fedora has issued an advisory today (December 17): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2X73FZHU3TMEVLPJ6AFGATNWWADHGZW3/ The issues are fixed upstream in 1.8.0 (Fedora updated to 1.8.1). Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.8.0CC: (none) => geiger.david68210, guillomovitchWhiteboard: (none) => MGA8TOO
updated in cauldron.
Version: Cauldron => 8CC: (none) => mageiaWhiteboard: MGA8TOO => (none)
new version pushed in mga8 src: - ldns-1.8.1-1.mga8
Assignee: bugsquad => qa-bugs
python3-ldns-1.8.1-1.mga8 libldns-devel-1.8.1-1.mga8 libldns3-1.8.1-1.mga8 ldns-utils-1.8.1-1.mga8 from ldns-1.8.1-1.mga8.src.rpm
Status comment: Fixed upstream in 1.8.0 => (none)
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues Ref bug 13324 for testing $ mkdir testldns $ cd testldns $ ldns-keygen -a RSASHA1_NSEC3 -b 1024 example.net Kexample.net.+007+03893 $ ll totaal 8 -rw-r--r-- 1 tester8 tester8 241 dec 20 14:19 Kexample.net.+007+03893.key -rw------- 1 tester8 tester8 943 dec 20 14:19 Kexample.net.+007+03893.private $ urpmf ldns-utils | grep bin ldns-utils:/usr/bin/drill ldns-utils:/usr/bin/ldns-chaos ldns-utils:/usr/bin/ldns-compare-zones ldns-utils:/usr/bin/ldns-dane ldns-utils:/usr/bin/ldns-dpa etc.... $ ldns-mx mageia.org mageia.org. 1800 IN MX 10 sucuk.mageia.org. mageia.org. 1800 IN MX 20 neru.mageia.org. $ drill mageia.org @8.8.8.8 ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 11653 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; mageia.org. IN A ;; ANSWER SECTION: mageia.org. 1800 IN A 163.172.148.228 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 2155 msec ;; SERVER: 8.8.8.8 ;; WHEN: Mon Dec 20 14:21:44 2021 ;; MSG SIZE rcvd: 44 If Claire OK'ed this on these tests, I'll follow her.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
If I learned anything in my early days with QA, it was "don't argue with Claire." ;-) Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0582.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
rhbz#2028468 is CVE-2020-19861, and CVE-2020-19860 was also fixed in 1.8.0 and in this update: https://bugzilla.redhat.com/show_bug.cgi?id=2044427 https://ubuntu.com/security/notices/USN-5257-1
Summary: ldns new security issues rhbz#2028468, rhbz#2028465, rhbz#2028472 => ldns new security issues rhbz#2028468, rhbz#2028465, rhbz#2028472 (CVE-2020-19860, CVE-2020-19861)