Bug 8304 - bind new security issue CVE-2012-5688
: bind new security issue CVE-2012-5688
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/528313/
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-12-05 13:24 CET by David Walser
Modified: 2012-12-07 13:20 CET (History)
5 users (show)

See Also:
Source RPM: bind-9.9.1.P4-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-12-05 13:24:53 CET
ISC has issued an advisory on December 4:
https://kb.isc.org/article/AA-00828

Fixed upstream in 9.9.2-P1.
Comment 1 David Walser 2012-12-05 13:40:49 CET
Already fixed in Cauldron by Oden.
Comment 2 Oden Eriksson 2012-12-05 14:53:42 CET
The most "invasive" change with bind-9.9.2.P1-1.mga2 in updates_testing is that I deactivated dnssec per default. ISC wants to push this technology but it works poorly when not setup properly in the whole chain resulting in massive latencies.

To test this you can try it as your recursive resolver and flip "dnssec-enable" and "dnssec-validation" on/off in the /var/lib/named/etc/named.conf file (currently off, but bind-9.9.1.P4-1.mga2 and cauldron has it enabled). You have to restart the service for it to have effect.

Use something like "nslookup www.some_domain.com 127.0.0.1" to check the latency.
Comment 3 David Walser 2012-12-05 15:14:55 CET
Thanks Oden.

Note to QA, this update has more changes than just updating the version, as there were some changes to the script that sets up the chroot to fix the issues in Bug 7540, and dnssec was disabled by default, as noted by Oden above.

Advisory:
========================

Updated bind packages fix security vulnerability:

BIND 9 nameservers using the DNS64 IPv6 transition mechanism are vulnerable
to a software defect that allows a crafted query to crash the server with a
REQUIRE assertion failure.  Remote exploitation of this defect can be
achieved without extensive effort, resulting in a denial-of-service (DoS)
vector against affected servers (CVE-2012-5688).

This update provides BIND 9.9.2-P1, which fixes this issue.

Also, dnssec has been disabled by default, as it causes significant latency
when not configured properly.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5688
ftp://ftp.isc.org/isc/bind/9.9.2-P1/CHANGES
ftp://ftp.isc.org/isc/bind/9.9.2-P1/RELEASE-NOTES-BIND-9.9.2-P1.txt
https://kb.isc.org/article/AA-00828
========================

Updated packages in core/updates_testing:
========================
bind-9.9.2.P1-1.mga2
bind-sdb-9.9.2.P1-1.mga2
bind-utils-9.9.2.P1-1.mga2
bind-devel-9.9.2.P1-1.mga2
bind-doc-9.9.2.P1-1.mga2

from bind-9.9.2.P1-1.mga2.src.rpm
Comment 4 Oden Eriksson 2012-12-05 15:37:40 CET
Advisory:
========================

Updated bind packages fix security vulnerability:

BIND 9 nameservers using the DNS64 IPv6 transition mechanism are vulnerable
to a software defect that allows a crafted query to crash the server with a
REQUIRE assertion failure.  Remote exploitation of this defect can be
achieved without extensive effort, resulting in a denial-of-service (DoS)
vector against affected servers (CVE-2012-5688).

This update provides BIND 9.9.2-P1, which fixes this issue.

Also, dnssec has been disabled by default, as it causes significant latency
when not configured properly.

It was dicovered that the named server segfaulted when stopped that eventually could fill the filesystem with core files, this was fixed with the 9.9.2 version (#7540).

It was discovered that the needed openssl engine libgost.so was not updated in the chroot which could cause erratic behaviour (#7540).

It was discovered that the mount bind of proc in the chroot did not work due to changes in how the mount command works. This has now been removed as it's not needed anymore (#7540).

It was discovered that the root DNS server list was quite dated and this file has been updated.
Comment 5 Oden Eriksson 2012-12-05 15:43:52 CET
Additionally, as for 5.) as in https://bugs.mageia.org/show_bug.cgi?id=7540 I do not have a good solution to solve possible problems than to read up on the subject and add the nessesary changes per zone.
Comment 6 David Walser 2012-12-05 15:49:48 CET
BIND 9.8.4-P1 checked into Mageia 1 SVN if anyone wants it.
Comment 7 Dave Hodgins 2012-12-06 00:43:26 CET
I've opened a bug report on rpmdrake, after installing this update.

Bug 8310 - rpmdrake does not list config files needing inspection, when /etc is in a chroot.

I've tested the updated named service, on both x86-64 and i586, and am prepared
to validate the update, but before I do, I think it may be a good idea to add
a README.urpmi warning people that the named.conf and named.conf.rpmnew files
should be inspected.

Would you like to add such a file, or should we go ahead and validate this
security update?
Comment 8 David Walser 2012-12-06 04:31:01 CET
The advisory already says the default config changed.  That's sufficient.
Comment 9 Dave Hodgins 2012-12-06 05:02:02 CET
Validating the update.

Could someone from the sysadmin team push the srpm
bind-9.9.2.P1-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated bind packages fix security vulnerability:

BIND 9 nameservers using the DNS64 IPv6 transition mechanism are vulnerable
to a software defect that allows a crafted query to crash the server with a
REQUIRE assertion failure.  Remote exploitation of this defect can be
achieved without extensive effort, resulting in a denial-of-service (DoS)
vector against affected servers (CVE-2012-5688).

This update provides BIND 9.9.2-P1, which fixes this issue.

Also, dnssec has been disabled by default, as it causes significant latency
when not configured properly.

It was dicovered that the named server segfaulted when stopped that eventually
could fill the filesystem with core files, this was fixed with the 9.9.2
version (#7540).

It was discovered that the needed openssl engine libgost.so was not updated in
the chroot which could cause erratic behaviour (#7540).

It was discovered that the mount bind of proc in the chroot did not work due to
changes in how the mount command works. This has now been removed as it's not
needed anymore (#7540).

It was discovered that the root DNS server list was quite dated and this file
has been updated.

https://bugs.mageia.org/show_bug.cgi?id=8304
Comment 11 Thomas Backlund 2012-12-07 13:20:39 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0354

Note You need to log in before you can comment on or make changes to this bug.