ISC has issued an advisory on December 4: https://kb.isc.org/article/AA-00828 Fixed upstream in 9.9.2-P1.
CC: (none) => oeWhiteboard: (none) => MGA2TOO
CC: (none) => guillomovitch
Already fixed in Cauldron by Oden.
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
The most "invasive" change with bind-9.9.2.P1-1.mga2 in updates_testing is that I deactivated dnssec per default. ISC wants to push this technology but it works poorly when not setup properly in the whole chain resulting in massive latencies. To test this you can try it as your recursive resolver and flip "dnssec-enable" and "dnssec-validation" on/off in the /var/lib/named/etc/named.conf file (currently off, but bind-9.9.1.P4-1.mga2 and cauldron has it enabled). You have to restart the service for it to have effect. Use something like "nslookup www.some_domain.com 127.0.0.1" to check the latency.
Thanks Oden. Note to QA, this update has more changes than just updating the version, as there were some changes to the script that sets up the chroot to fix the issues in Bug 7540, and dnssec was disabled by default, as noted by Oden above. Advisory: ======================== Updated bind packages fix security vulnerability: BIND 9 nameservers using the DNS64 IPv6 transition mechanism are vulnerable to a software defect that allows a crafted query to crash the server with a REQUIRE assertion failure. Remote exploitation of this defect can be achieved without extensive effort, resulting in a denial-of-service (DoS) vector against affected servers (CVE-2012-5688). This update provides BIND 9.9.2-P1, which fixes this issue. Also, dnssec has been disabled by default, as it causes significant latency when not configured properly. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5688 ftp://ftp.isc.org/isc/bind/9.9.2-P1/CHANGES ftp://ftp.isc.org/isc/bind/9.9.2-P1/RELEASE-NOTES-BIND-9.9.2-P1.txt https://kb.isc.org/article/AA-00828 ======================== Updated packages in core/updates_testing: ======================== bind-9.9.2.P1-1.mga2 bind-sdb-9.9.2.P1-1.mga2 bind-utils-9.9.2.P1-1.mga2 bind-devel-9.9.2.P1-1.mga2 bind-doc-9.9.2.P1-1.mga2 from bind-9.9.2.P1-1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
Advisory: ======================== Updated bind packages fix security vulnerability: BIND 9 nameservers using the DNS64 IPv6 transition mechanism are vulnerable to a software defect that allows a crafted query to crash the server with a REQUIRE assertion failure. Remote exploitation of this defect can be achieved without extensive effort, resulting in a denial-of-service (DoS) vector against affected servers (CVE-2012-5688). This update provides BIND 9.9.2-P1, which fixes this issue. Also, dnssec has been disabled by default, as it causes significant latency when not configured properly. It was dicovered that the named server segfaulted when stopped that eventually could fill the filesystem with core files, this was fixed with the 9.9.2 version (#7540). It was discovered that the needed openssl engine libgost.so was not updated in the chroot which could cause erratic behaviour (#7540). It was discovered that the mount bind of proc in the chroot did not work due to changes in how the mount command works. This has now been removed as it's not needed anymore (#7540). It was discovered that the root DNS server list was quite dated and this file has been updated.
Additionally, as for 5.) as in https://bugs.mageia.org/show_bug.cgi?id=7540 I do not have a good solution to solve possible problems than to read up on the subject and add the nessesary changes per zone.
BIND 9.8.4-P1 checked into Mageia 1 SVN if anyone wants it.
I've opened a bug report on rpmdrake, after installing this update. Bug 8310 - rpmdrake does not list config files needing inspection, when /etc is in a chroot. I've tested the updated named service, on both x86-64 and i586, and am prepared to validate the update, but before I do, I think it may be a good idea to add a README.urpmi warning people that the named.conf and named.conf.rpmnew files should be inspected. Would you like to add such a file, or should we go ahead and validate this security update?
CC: (none) => davidwhodginsWhiteboard: (none) => feedback
The advisory already says the default config changed. That's sufficient.
Whiteboard: feedback => (none)
Validating the update. Could someone from the sysadmin team push the srpm bind-9.9.2.P1-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated bind packages fix security vulnerability: BIND 9 nameservers using the DNS64 IPv6 transition mechanism are vulnerable to a software defect that allows a crafted query to crash the server with a REQUIRE assertion failure. Remote exploitation of this defect can be achieved without extensive effort, resulting in a denial-of-service (DoS) vector against affected servers (CVE-2012-5688). This update provides BIND 9.9.2-P1, which fixes this issue. Also, dnssec has been disabled by default, as it causes significant latency when not configured properly. It was dicovered that the named server segfaulted when stopped that eventually could fill the filesystem with core files, this was fixed with the 9.9.2 version (#7540). It was discovered that the needed openssl engine libgost.so was not updated in the chroot which could cause erratic behaviour (#7540). It was discovered that the mount bind of proc in the chroot did not work due to changes in how the mount command works. This has now been removed as it's not needed anymore (#7540). It was discovered that the root DNS server list was quite dated and this file has been updated. https://bugs.mageia.org/show_bug.cgi?id=8304
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: (none) => MGA2-64-OK MGA2-32-OK
URL: (none) => http://lwn.net/Vulnerabilities/528313/
References were missing from the advisory in the previous comment. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5688 ftp://ftp.isc.org/isc/bind/9.9.2-P1/CHANGES ftp://ftp.isc.org/isc/bind/9.9.2-P1/RELEASE-NOTES-BIND-9.9.2-P1.txt https://kb.isc.org/article/AA-00828 https://bugs.mageia.org/show_bug.cgi?id=7540 https://bugs.mageia.org/show_bug.cgi?id=8304
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0354
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED