Univention Bugzilla – Bug 44656
bind9: Denial of service issues (4.2)
Last modified: 2017-08-09 16:57:20 CEST
Upstream Debian package version 1:9.9.5.dfsg-9+deb8u11 fixes: * An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;" (CVE-2017-3136) * A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME (CVE-2017-3137) * named exits with a REQUIRE assertion failure if it receives a null command string on its control channel (CVE-2017-3138)
Upstream Debian package version 1:9.9.5.dfsg-9+deb8u12 fixes: * An error in TSIG authentication can permit unauthorized zone transfers (CVE-2017-3142) * An error in TSIG authentication can permit unauthorized dynamic updates (CVE-2017-3143) And 1:9.9.5.dfsg-9+deb8u13 fixes a regression.
1:9.9.5.dfsg-9+deb8u7 fixes: * buffer.c in named does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query. (CVE-2016-2776) 1:9.9.5.dfsg-9+deb8u8 fixes: * named in ISC BIND 9.x before 9.9.9-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. (CVE-2016-8864) 1:9.9.5.dfsg-9+deb8u9 fixes: * A crafted upstream response to an ANY query could cause an assertion failure (CVE-2016-9131) * A crafted upstream response with self-contradicting DNSSEC data could cause an assertion failure (CVE-2016-9147) * Specially-crafted upstream responses with a DS record could cause an assertion failure (CVE-2016-9444) * A regression in the patch for CVE-2016-8864 has been fixed. 1:9.9.5.dfsg-9+deb8u10 fixes: * Fix regression caused by the fix for CVE-2016-8864 * Assertion failure when using DNS64 and RPZ can lead to crash (CVE-2017-3135)
I've used the new tool from Bug 44451 on omar: ========================================================================= debian_package="bind9" # example svn_checkout=~/svn/dev/branches repong_checkout="$svn_checkout/ucs-3.2/internal/repo-ng" errata_checkout="$svn_checkout/ucs-4.2/ucs-4.2-1/doc/errata" svn up "$repong_checkout" svn up "$errata_checkout" mkdir -p "/tmp/$USER" python -m univention.repong.debmirror \ --errata "$errata_checkout" \ --sql -vvvv --work "/tmp/$USER/work.yaml" \ --overwrite \ "$repong_checkout/mirror/update_ucs42_mirror_from_debian.tsv" \ --load="/tmp/$USER/repo-debmirror.pickle" \ --save="/tmp/$USER/repo-debmirror.pickle" \ --process REBUILD --process MERGE \ --package "$debian_package" ========================================================================= Advisory: ucs-4.2-1/doc/errata/staging/bind9.yaml
OK: aptitude install '?source-package(bind9)~i' bind9 (1:9.9.5.dfsg-9+deb8u13A~4.2.1.201708081700) wird eingerichtet ... /usr/bin/deb-systemd-helper: error: unable to read bind9.service OK: apt install libbind-dev OK: apt install libbind-export-dev OK: aptitude install '?source-package(bind9)?not(?name(udeb))?not(?name(dev))' OK: dig @127.0.0.1 -p 53 "$(dnsdomainname)" axfr OK: named-checkconf /etc/bind/named.conf.samba4 OK: ucr set dns/backend=ldap OK: dig @127.0.0.1 -p 7777 "$(dnsdomainname)" axfr OK: named-checkconf /etc/bind/named.conf.proxy OK: named-checkconf /etc/bind/named.conf OK: zless /usr/share/doc/bind9/changelog.Debian.gz # 1:9.9.5.dfsg-9+deb8u13A~4.2.1.201708081700 OK: 1:9.9.5.dfsg-9+deb8u7..13 OK: dns/backend=ldap,samba4 FIXED: bind9.yaml -> r81914 OK: errata-announce -V --only bind9.yaml WAITING for Jenkins...
(In reply to Philipp Hahn from comment #4) > WAITING for Jenkins... OK.
<http://errata.software-univention.de/ucs/4.2/123.html>