Univention Bugzilla – Bug 42557
bind9: Denial of service (3.3)
Last modified: 2016-10-20 13:02:24 CEST
+++ This bug was initially created as a clone of Bug #39544 +++ Upstream Debian package version 1:9.8.4.dfsg.P1-6+nmu2+deb7u7 fixes this issue: * incorrect validation of DNSSEC-signed records in the Bind DNS server could result in denial of service (CVE-2015-5722)
Upstream Debian package version 1:9.8.4.dfsg.P1-6+nmu2+deb7u8 fixes this issue: * Responses with a malformed class attribute can trigger an assertion failure in db.c (CVE-2015-8000)
Upstream Debian package version 1:9.8.4.dfsg.P1-6+nmu2+deb7u9 fixes this issue: * Denial of service due to INSIST failure in apl_42.c triggered by specific APL RR data (CVE-2015-8704)
Upstream Debian package version 1:9.8.4.dfsg.P1-6+nmu2+deb7u10 fixes these issues: * Denial of service due to maliciously crafted rdnc command (CVE-2016-1285) * Denial of service (crash) due to DNAME parsing error (CVE-2016-1286)
Another issue has been reported: * buffer.c in named does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query. (CVE-2016-2776)
Created attachment 8068 [details] cve-2016-2776.patch patch extracted from diffing 1:9.9.5.dfsg-9+deb8u7 against +deb8u76, see http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html
Upstream Debian package version 1:9.8.4.dfsg.P1-6+nmu2+deb7u11 fixes CVE-2016-2776 (and CVE-2016-2775)
r16776 | bind9 Package: bind9 Version: 1:9.8.4.dfsg.P1-6+nmu2.113.201610101550 Branch: ucs_3.3-0 Scope: errata3.3-0 r73049 | Bug #40319: bind9 YAML bind9.yaml => SELECT DISTINCT binver,major,minor,patch,scope FROM binpkg WHERE binpkg='bind9' AND (major=3 AND minor>=2 OR major>=4) ORDER BY major,minor,patch,scope ASC NULLS FIRST; binver | major | minor | patch | scope -----------------------------------------+-------+-------+-------+-------- 1:9.8.0.P4-1.102.201307290920 | 3 | 2 | 0 | 1:9.8.4.dfsg.P1-6+nmu2.113.201508061528 | 3 | 2 | 6 | errata 1:9.8.4.dfsg.P1-6+nmu2.113.201508061528 | 3 | 2 | 7 | 1:9.8.4.dfsg.P1-6+nmu2.113.201610101547 | 3 | 2 | 8 | errata 1:9.8.4.dfsg.P1-6+nmu2.113.201603012216 | 3 | 3 | 0 | 1:9.8.4.dfsg.P1-6+nmu2.113.201610101550 | 3 | 3 | 0 | errata 1:9.8.4.dfsg.P1-6+nmu2.108.201411010114 | 4 | 0 | 0 | 1:9.8.4.dfsg.P1-6+nmu2.109.201501200840 | 4 | 0 | 0 | errata 1:9.8.4.dfsg.P1-6+nmu2.109.201501200840 | 4 | 0 | 1 | 1:9.8.4.dfsg.P1-6+nmu2.114.201508061539 | 4 | 0 | 2 | errata 1:9.8.4.dfsg.P1-6+nmu2.114.201508061539 | 4 | 0 | 3 | 1:9.8.4.dfsg.P1-6+nmu2.115.201610101551 | 4 | 1 | 3 | errata 1:9.9.5.dfsg-9+deb8u6 | 4 | 2 | 0 |
I've started the Jenkins tests: http://jenkins.knut.univention.de:8080/job/UCS-3.3/job/UCS-3.3-0/job/AutotestJoin/106/ http://jenkins.knut.univention.de:8080/job/UCS-3.3/job/UCS-3.3-0/job/AutotestUpgrade/36/ http://jenkins.knut.univention.de:8080/job/UCS-3.3/job/UCS-3.3-0/job/AutotestUpgrade40/33/
Jenkins tests: OK YAML: OK
(In reply to Stefan Gohmann from comment #9) > Jenkins tests: OK > > YAML: OK Manual tests: OK
Waiting for Bug #42590.
Package: bind9 Version: 1:9.8.4.dfsg.P1-6+nmu2.122.201610152025 Branch: ucs_3.3-0 Scope: errata3.3-0 r73255 | Bug #42557 bind9: YAML bind9.yaml
OK, looks good now.
<http://errata.software-univention.de/ucs/3.3/17.html>