7762 – bind new security issue CVE-2012-5166

Bug 7762 - bind new security issue CVE-2012-5166

Summary: bind new security issue CVE-2012-5166

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	2
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:	http://lwn.net/Vulnerabilities/519152/
Whiteboard:	MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64...
Keywords:	validated_update

Depends on:
Blocks:	7540
	Show dependency tree / graph

Reported:	2012-10-10 16:35 CEST by David Walser
Modified:	2012-10-11 08:05 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	bind-9.9.1.P3-1.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-10-10 16:35:20 CEST

Mandriva has issued an advisory today (October 10):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:162

Updated packages uploaded for Mageia 1 and Mageia 2.

Advisory:
========================

Updated bind packages fix security vulnerability:

A certain combination of records in the RBT could cause named to hang
while populating the additional section of a response.
(CVE-2012-5166).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166
ftp://ftp.isc.org/isc/bind/9.8.3-P4/CHANGES
ftp://ftp.isc.org/isc/bind/9.9.1-P4/CHANGES
ftp://ftp.isc.org/isc/bind9/9.8.3-P4/RELEASE-NOTES-BIND-9.8.3-P4.txt
ftp://ftp.isc.org/isc/bind9/9.9.1-P4/RELEASE-NOTES-BIND-9.9.1-P4.txt
https://kb.isc.org/article/AA-00801
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:162
========================

Updated packages in core/updates_testing:
========================
bind-9.8.3P4-1.mga1
bind-utils-9.8.3P4-1.mga1
bind-devel-9.8.3P4-1.mga1
bind-doc-9.8.3P4-1.mga1
bind-9.9.1.P4-1.mga2
bind-sdb-9.9.1.P4-1.mga2
bind-utils-9.9.1.P4-1.mga2
bind-devel-9.9.1.P4-1.mga2
bind-doc-9.9.1.P4-1.mga2

from SRPMS:
bind-9.8.3P4-1.mga1.src.rpm
bind-9.9.1.P4-1.mga2.src.rpm

David Walser 2012-10-10 16:35:41 CEST

Blocks: (none) => 7540
Whiteboard: (none) => MGA1TOO

David Walser 2012-10-10 23:50:52 CEST

URL: (none) => http://lwn.net/Vulnerabilities/519152/

Comment 1 Dave Hodgins 2012-10-11 06:03:08 CEST

Testing complete Mageia 1 and 2, i586 and x86-64.
Just testing that host and dig work at 127.0.0.1

Could someone from the sysadmin team push the srpm
bind-9.9.1.P4-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
bind-9.8.3P4-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates

Advisory: Updated bind packages fix security vulnerability:

A certain combination of records in the RBT could cause named to hang
while populating the additional section of a response.
(CVE-2012-5166).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166
ftp://ftp.isc.org/isc/bind/9.8.3-P4/CHANGES
ftp://ftp.isc.org/isc/bind/9.9.1-P4/CHANGES
ftp://ftp.isc.org/isc/bind9/9.8.3-P4/RELEASE-NOTES-BIND-9.8.3-P4.txt
ftp://ftp.isc.org/isc/bind9/9.9.1-P4/RELEASE-NOTES-BIND-9.9.1-P4.txt
https://kb.isc.org/article/AA-00801
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:162

https://bugs.mageia.org/show_bug.cgi?id=7762

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK

Comment 2 Thomas Backlund 2012-10-11 08:05:15 CEST

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0287

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.