Univention Bugzilla – Bug 42749
bind9: Denial of service (ES 3.2)
Last modified: 2018-05-02 15:02:22 CEST
+++ This bug was initially created as a clone of Bug #42748 +++ Upstream Debian package version 1:9.8.4.dfsg.P1-6+nmu2+deb7u12 fixes this issue: * ISC BIND 9.1.0 through 9.8.4-P2 and 9.9.0 through 9.9.2-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via malformed options data in an OPT resource record. (CVE-2016-2848)
Upstream Debian package version 1:9.8.4.dfsg.P1-6+nmu2+deb7u13 fixes * remote attackers could cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. (CVE-2016-8864) Upstream Debian package version 1:9.8.4.dfsg.P1-6+nmu2+deb7u14 fixes * A crafted upstream response to an ANY query could cause an assertion failure (CVE-2016-9131) * A crafted upstream response with self-contradicting DNSSEC data could cause an assertion failure (CVE-2016-9147) * Specially-crafted upstream responses with a DS record could cause an assertion failure (CVE-2016-9444) * A regression in the patch for CVE-2016-8864 has been fixed.
Upstream Debian package version 1:9.8.4.dfsg.P1-6+nmu2+deb7u15 fixes this issue: * Assertion failure when using DNS64 and RPZ can lead to crash (CVE-2017-3135)
Upstream Debian package version 1:9.8.4.dfsg.P1-6+nmu2+deb7u16 fixes * An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;" (CVE-2017-3136) * A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME (CVE-2017-3137) * named exits with a REQUIRE assertion failure if it receives a null command string on its control channel (CVE-2017-3138)
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
Created attachment 9501 [details] Advisory * Package cherrypicked from errata4.1-5 to extsec3.2 * UCS patches have been merged * UCS build version increment fixed to 113 * Package built successfull: logs/ucs_3.2-0-0-extsec3.2/bind9_1:9.8.4.dfsg.P1-6+nmu2.113.201804181315.log.bz2 * Advisory attached
UCS-3.2 errata 8 contains bind9 in version '1:9.8.4.dfsg.P1-6+nmu2.121.201610141703', which hides the extsec3.2 version build version 113. Please rebuild in extsec3.2 with a build version of 121.
9.8.4.dfsg.P1-6+nmu2+deb7u20 is available with build version 121, automated tests did not show any strange or unexpected behaviour.
Released and announced via errata-mailing.