Bug 44656 - bind9: Denial of service issues (4.2)
bind9: Denial of service issues (4.2)
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-1-errata
Assigned To: Arvid Requate
Philipp Hahn
Depends on:
  Show dependency treegraph
Reported: 2017-05-23 11:19 CEST by Arvid Requate
Modified: 2017-08-09 16:57 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
requate: Patch_Available+


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-05-23 11:19:44 CEST
Upstream Debian package version 1:9.9.5.dfsg-9+deb8u11 fixes:

* An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;" (CVE-2017-3136)

* A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME (CVE-2017-3137)

* named exits with a REQUIRE assertion failure if it receives a null command string on its control channel (CVE-2017-3138)
Comment 1 Arvid Requate univentionstaff 2017-08-07 15:33:00 CEST
Upstream Debian package version 1:9.9.5.dfsg-9+deb8u12 fixes:

* An error in TSIG authentication can permit unauthorized zone transfers (CVE-2017-3142)

* An error in TSIG authentication can permit unauthorized dynamic updates (CVE-2017-3143)

And 1:9.9.5.dfsg-9+deb8u13 fixes a regression.
Comment 2 Arvid Requate univentionstaff 2017-08-08 15:47:34 CEST
1:9.9.5.dfsg-9+deb8u7 fixes:

* buffer.c in named does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query. (CVE-2016-2776)

1:9.9.5.dfsg-9+deb8u8 fixes:

* named in ISC BIND 9.x before 9.9.9-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNAME record in the answer section of a response to a recursive query, related to db.c and resolver.c. (CVE-2016-8864)

1:9.9.5.dfsg-9+deb8u9 fixes:

* A crafted upstream response to an ANY query could cause an assertion
  failure (CVE-2016-9131)
* A crafted upstream response with self-contradicting DNSSEC data could cause
  an assertion failure (CVE-2016-9147)
* Specially-crafted upstream responses with a DS record could cause an
  assertion failure (CVE-2016-9444)
* A regression in the patch for CVE-2016-8864 has been fixed.

1:9.9.5.dfsg-9+deb8u10 fixes:

* Fix regression caused by the fix for CVE-2016-8864
* Assertion failure when using DNS64 and RPZ can lead to crash (CVE-2017-3135)
Comment 3 Arvid Requate univentionstaff 2017-08-08 19:21:57 CEST
I've used the new tool from Bug 44451 on omar:

debian_package="bind9"  # example

svn up "$repong_checkout"
svn up "$errata_checkout"
mkdir -p "/tmp/$USER"

python -m univention.repong.debmirror \
       --errata "$errata_checkout" \
       --sql -vvvv --work "/tmp/$USER/work.yaml" \
       --overwrite \
       "$repong_checkout/mirror/update_ucs42_mirror_from_debian.tsv" \
       --load="/tmp/$USER/repo-debmirror.pickle" \
       --save="/tmp/$USER/repo-debmirror.pickle" \
       --process REBUILD --process MERGE \
       --package "$debian_package"

Advisory: ucs-4.2-1/doc/errata/staging/bind9.yaml
Comment 4 Philipp Hahn univentionstaff 2017-08-08 21:04:54 CEST
OK: aptitude install '?source-package(bind9)~i'

bind9 (1:9.9.5.dfsg-9+deb8u13A~ wird eingerichtet ...
/usr/bin/deb-systemd-helper: error: unable to read bind9.service

OK: apt install libbind-dev
OK: apt install libbind-export-dev
OK: aptitude install '?source-package(bind9)?not(?name(udeb))?not(?name(dev))'
OK: dig @ -p 53 "$(dnsdomainname)" axfr
OK: named-checkconf /etc/bind/named.conf.samba4
OK: ucr set dns/backend=ldap
OK: dig @ -p 7777 "$(dnsdomainname)" axfr
OK: named-checkconf /etc/bind/named.conf.proxy
OK: named-checkconf /etc/bind/named.conf
OK: zless /usr/share/doc/bind9/changelog.Debian.gz # 1:9.9.5.dfsg-9+deb8u13A~
OK: 1:9.9.5.dfsg-9+deb8u7..13
OK: dns/backend=ldap,samba4

FIXED: bind9.yaml -> r81914
OK: errata-announce -V --only bind9.yaml

WAITING for Jenkins...
Comment 5 Philipp Hahn univentionstaff 2017-08-09 15:07:20 CEST
(In reply to Philipp Hahn from comment #4)
> WAITING for Jenkins...

Comment 6 Arvid Requate univentionstaff 2017-08-09 16:57:20 CEST