ISC has issued advisories on March 16: https://kb.isc.org/docs/cve-2021-25220 https://kb.isc.org/docs/cve-2022-0396 The issues are fixed upstream in 9.11.37 and 9.16.27. Patches are here: https://downloads.isc.org/isc/bind9/9.11.37/patches/ https://downloads.isc.org/isc/bind9/9.16.27/patches/ Mageia 8 is also affected by CVE-2021-25220.
Status comment: (none) => Fixed upstream in 9.11.37 and 9.16.27Whiteboard: (none) => MGA8TOO
Ubuntu has issued an advisory for this today (March 17): https://ubuntu.com/security/notices/USN-5332-1
Have to assign this globally, no one maintainer evident.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: DNS forwarders - cache poisoning vulnerability. (CVE-2021-25220) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25220 https://kb.isc.org/docs/cve-2021-25220 https://ubuntu.com/security/notices/USN-5332-1 ======================== Updated packages in core/updates_testing: ======================== bind-devel-9.11.37-1.mga8 lib(64)dns_pkcs11_1115-9.11.37-1.mga8 lib(64)dns1115-9.11.37-1.mga8 bind-sdb-9.11.37-1.mga8 bind-utils-9.11.37-1.mga8 bind-pkcs11-9.11.37-1.mga8 bind-pkcs11-utils-9.11.37-1.mga8 lib(64)isc_pkcs11_1107-9.11.37-1.mga8 lib(64)isccfg163-9.11.37-1.mga8 bind-dnssec-utils-9.11.37-1.mga8 python3-bind-9.11.37-1.mga8 lib(64)isc1107-9.11.37-1.mga8 lib(64)isccc161-9.11.37-1.mga8 lib(64)bind9_161-9.11.37-1.mga8 lib(64)irs161-9.11.37-1.mga8 lib(64)lwres161-9.11.37-1.mga8 bind-pkcs11-devel-9.11.37-1.mga8 bind-sdb-chroot-9.11.37-1.mga8 bind-chroot-9.11.37-1.mga8 bind-9.11.37-1.mga8 from SRPM: bind-9.11.37-1.mga8.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsSource RPM: bind-9.16.25-2.mga9.src.rpm => bind-9.11.36-1.1.mga8.src.rpmWhiteboard: MGA8TOO => (none)Status comment: Fixed upstream in 9.11.37 and 9.16.27 => (none)CC: (none) => nicolas.salgueroVersion: Cauldron => 8CVE: (none) => CVE-2021-25220
mga8, x64 Installed all 20 core packages before updating. Tested before but had to refer to earlier bug reports for hints. Queried the downloaded RPM to find out what bind-utils provides: /usr/bin/arpaname /usr/bin/delv /usr/bin/dig /usr/bin/host /usr/bin/nslookup /usr/bin/nsupdate /usr/bin/queryperf /usr/sbin/ddns-confgen /usr/sbin/genrandom /usr/sbin/isc-hmac-fixup /usr/sbin/named-checkzone /usr/sbin/named-compilezone /usr/sbin/nsec3hash /usr/sbin/tsig-keygen $ sudo systemctl start named $ sudo systemctl status named OK $ dig @localhost mageia.org ; <<>> DiG 9.11.37Mageia-1.mga8 <<>> @localhost mageia.org ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15219 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: f06e9010dde652c5ec283e1262376ff2ba2f80d825bceb8f (good) ;; QUESTION SECTION: ;mageia.org. IN A [....] $ delv @canopus -4 -c IN google.com A ; unsigned answer google.com. 300 IN A 172.217.169.14 $ nslookup google.com Server: ............ Address: ............ Non-authoritative answer: Name: google.com Address: 172.217.16.238 Name: google.com Address: 2a00:1450:4009:821::200e $ host virginmedia.com virginmedia.com has address 213.105.9.24 virginmedia.com mail is handled by 1 mx.tb.ukmail.iss.as9143.net. $ nslookup 213.105.9.24 24.9.105.213.in-addr.arpa name = www.virginmedia.com. For lack of knowledge I need to leave this as it is. The user utilities work at a basic level.
Whiteboard: (none) => MGA8-64-OKCC: (none) => tarazed25
I run named on three of my installs. No regressions noticed. Validating the update.
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0108.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED