Bug 42590 – bind9: Denial of service (3.2)

Bug 42590 - bind9: Denial of service (3.2)


Summary:	bind9: Denial of service (3.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.2-8-errata
Assigned To:	Philipp Hahn
QA Contact:	Stefan Gohmann

URL:
Keywords:

Depends on:	39544 42557
Blocks:
	Show dependency tree / graph

Reported:	2016-10-06 19:16 CEST by Arvid Requate
Modified:	2016-10-20 13:15 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-10-06 19:16:00 CEST

Upstream Debian package version 1:9.8.4.dfsg.P1-6+nmu2+deb7u11 fixes

* buffer.c in named does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query. (CVE-2016-2776)

Not affected by CVE-2016-2775.

Comment 1 Philipp Hahn

2016-10-10 16:19:17 CEST

r16776 | bind9

Package: bind9
Version: 1:9.8.4.dfsg.P1-6+nmu2.113.201610101547
Branch: ucs_3.2-0
Scope: errata3.2-8

r73049 | Bug #40319: bind9 YAML
 bind9.yaml

=> SELECT DISTINCT binver,major,minor,patch,scope FROM binpkg WHERE binpkg='bind9' AND (major=3 AND minor>=2 OR major>=4) ORDER BY major,minor,patch,scope ASC NULLS FIRST;
                 binver                  | major | minor | patch | scope  
-----------------------------------------+-------+-------+-------+--------
 1:9.8.0.P4-1.102.201307290920           |     3 |     2 |     0 | 
 1:9.8.4.dfsg.P1-6+nmu2.113.201508061528 |     3 |     2 |     6 | errata
 1:9.8.4.dfsg.P1-6+nmu2.113.201508061528 |     3 |     2 |     7 | 
 1:9.8.4.dfsg.P1-6+nmu2.113.201610101547 |     3 |     2 |     8 | errata
 1:9.8.4.dfsg.P1-6+nmu2.113.201603012216 |     3 |     3 |     0 | 
 1:9.8.4.dfsg.P1-6+nmu2.113.201610101550 |     3 |     3 |     0 | errata
 1:9.8.4.dfsg.P1-6+nmu2.108.201411010114 |     4 |     0 |     0 | 
 1:9.8.4.dfsg.P1-6+nmu2.109.201501200840 |     4 |     0 |     0 | errata
 1:9.8.4.dfsg.P1-6+nmu2.109.201501200840 |     4 |     0 |     1 | 
 1:9.8.4.dfsg.P1-6+nmu2.114.201508061539 |     4 |     0 |     2 | errata
 1:9.8.4.dfsg.P1-6+nmu2.114.201508061539 |     4 |     0 |     3 | 
 1:9.8.4.dfsg.P1-6+nmu2.115.201610101551 |     4 |     1 |     3 | errata
 1:9.9.5.dfsg-9+deb8u6                   |     4 |     2 |     0 |

Comment 2 Stefan Gohmann

2016-10-11 08:17:40 CEST

Jenkins tests have been started:
http://jenkins.knut.univention.de:8080/job/UCS-3.2/job/UCS-3.2-8/job/AutotestJoin/6/

Comment 3 Stefan Gohmann

2016-10-13 14:43:34 CEST

root@master321:~# apt-cache policy bind9
bind9:
  Installiert: 1:9.8.4.dfsg.P1-6+nmu2.120.201607011019
  Kandidat:    1:9.8.4.dfsg.P1-6+nmu2.120.201607011019
  Versionstabelle:
 *** 1:9.8.4.dfsg.P1-6+nmu2.120.201607011019 0
        500 http://updates.software-univention.de/3.2/maintained/component/ 3.2-8-errata/amd64/ Packages
        100 /var/lib/dpkg/status
     1:9.8.4.dfsg.P1-6+nmu2.113.201610101547 0
        500 http://updates-test.software-univention.de/3.2/maintained/component/ 3.2-8-errata-test/amd64/ Packages

Comment 4 Philipp Hahn

2016-10-16 22:56:33 CEST

Package: bind9
Version: 1:9.8.4.dfsg.P1-6+nmu2.121.201610141703
Branch: ucs_3.2-0
Scope: errata3.2-8

r73253 | Bug #40319: bind9 YAML
 bind9.yaml

FYI: All other bind9 versions were rebuilt as well as each UCS release has a different version of OpenSSL - I did a successful update from 3.2 → 3.3 → 4.1

Comment 5 Stefan Gohmann

2016-10-19 10:24:45 CEST

(In reply to Philipp Hahn from comment #4)
> Package: bind9
> Version: 1:9.8.4.dfsg.P1-6+nmu2.121.201610141703
> Branch: ucs_3.2-0
> Scope: errata3.2-8
> 
> r73253 | Bug #40319: bind9 YAML
>  bind9.yaml
> 
> FYI: All other bind9 versions were rebuilt as well as each UCS release has a
> different version of OpenSSL - I did a successful update from 3.2 → 3.3 → 4.1

OK, works now.

Comment 6 Janek Walkenhorst

2016-10-20 13:15:52 CEST

<http://errata.software-univention.de/ucs/3.2/449.html>