Ubuntu has issued an advisory today (July 26): http://www.ubuntu.com/usn/usn-1518-1/ Mageia 1 and Mageia 2 are also affected. It is fixed in 9.8.3-P2 and 9.9.1-P2.
CC: (none) => guillomovitchWhiteboard: (none) => MGA2TOO, MGA1TOO
Mandriva has issued an advisory for this today (July 29): http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:119
Fixed in Cauldron by Guillaume Rousse.
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
Severity: normal => major
Priority: Normal => High
There is also CVE-2012-3868, which affects 9.9.x and was fixed in 9.9.1-P2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3868 http://lists.fedoraproject.org/pipermail/package-announce/2012-August/084813.html http://lwn.net/Vulnerabilities/510669/
Summary: bind new security issue CVE-2012-3817 => bind new security issues CVE-2012-3817 and CVE-2012-3868
Updated packages uploaded for Mageia 1 and Mageia 2. Advisory (Mageia 1): ======================== Updated bind packages fix security vulnerability: High numbers of queries with DNSSEC validation enabled can cause an assertion failure in named, caused by using a bad cache data structure before it has been initialized (CVE-2012-3817). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3817 ftp://ftp.isc.org/isc/bind9/9.8.3-P2/RELEASE-NOTES-BIND-9.8.3-P2.txt https://kb.isc.org/article/AA-00729 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:119 ======================== Advisory (Mageia 2): ======================== Updated bind packages fix security vulnerabilities: High numbers of queries with DNSSEC validation enabled can cause an assertion failure in named, caused by using a bad cache data structure before it has been initialized (CVE-2012-3817). Race condition in the ns_client structure management in ISC BIND 9.9.x before 9.9.1-P2 allows remote attackers to cause a denial of service (memory consumption or process exit) via a large volume of TCP queries (CVE-2012-3868). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3817 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3868 ftp://ftp.isc.org/isc/bind9/9.9.1-P2/RELEASE-NOTES-BIND-9.9.1-P2.txt https://kb.isc.org/article/AA-00729 https://kb.isc.org/article/AA-00730 http://lists.fedoraproject.org/pipermail/package-announce/2012-August/084813.html http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:119 ======================== Updated packages in core/updates_testing: ======================== bind-9.8.3P2-1.mga1 bind-utils-9.8.3P2-1.mga1 bind-devel-9.8.3P2-1.mga1 bind-doc-9.8.3P2-1.mga1 bind-9.9.1.P2-1.mga2 bind-sdb-9.9.1.P2-1.mga2 bind-utils-9.9.1.P2-1.mga2 bind-devel-9.9.1.P2-1.mga2 bind-doc-9.9.1.P2-1.mga2 from SRPMS: bind-9.8.3P2-1.mga1.src.rpm bind-9.9.1.P2-1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
Testing complete. Mageia 1 and 2, i586 and x86-64 No poc, so just testing that the update installs cleanly, and after starting named, can lookup hosts and pointers using the server at 127.0.0.1 Could someone from the sysadmin team push the srpm bind-9.9.1.P2-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm bind-9.8.3P2-1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Please see comment 4 for the two separate advisories.
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: MGA1TOO => MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-32-OK MGA2-64-OK
Update pushed: Mageia 1: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0257 Mageia 2: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0258
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED