Univention Bugzilla – Bug 54566
bind9: Multiple issues (4.4)
Last modified: 2022-03-23 12:10:19 CET
New Debian bind9 1:9.10.3.dfsg.P4-12.3+deb9u11A~4.4.8.202203190914 fixes: This update addresses the following issue: * The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records outside the configured bailiwick (CVE-2021-25220)
--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/bind9_9.10.3.dfsg.P4-12.3+deb9u10A~4.4.8.202111030617.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/bind9_9.10.3.dfsg.P4-12.3+deb9u11A~4.4.8.202203190914.dsc @@ -1,4 +1,4 @@ -1:9.10.3.dfsg.P4-12.3+deb9u10A~4.4.8.202111030617 [Wed, 03 Nov 2021 06:24:45 +0100] Univention builddaemon <buildd@univention.de>: +1:9.10.3.dfsg.P4-12.3+deb9u11A~4.4.8.202203190914 [Sat, 19 Mar 2022 09:21:20 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 0001-Bug-22478-build-bind-with-libdb4.8 @@ -17,6 +17,14 @@ 0014-Bug-42389-Fix-crash-on-shutdown 0016-Bug-46526-Fix-memory-leak +1:9.10.3.dfsg.P4-12.3+deb9u11 [Fri, 18 Mar 2022 14:25:50 +0100] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2021-25220: + When using forwarders, bogus NS records supplied by, or via, those + forwarders may be cached and used by named if it needs to recurse for any + reason, causing it to obtain and pass on potentially incorrect answers. + 1:9.10.3.dfsg.P4-12.3+deb9u10 [Tue, 02 Nov 2021 00:05:57 +0100] Markus Koschany <apo@debian.org>: * Non-maintainer upload by the LTS team. <http://piuparts.knut.univention.de/4.4-8/#5984561836166019480>
4.4 and 5.0 upgrade tests are failing since the import of this security update: I can see this in the logs: Mar 19 23:32:22 unassigned-hostname named[11962]: ../../../lib/dns/name.c:2487: REQUIRE((((dest) != ((void *)0)) && (((const isc__magic_t *)(dest))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n')))))) failed, back trace Mar 19 23:32:22 unassigned-hostname named[11962]: #0 0x55b022fcc580 in ?? Mar 19 23:32:22 unassigned-hostname named[11962]: #1 0x7f13181ba9aa in ?? Mar 19 23:32:22 unassigned-hostname named[11962]: #2 0x7f13198a4f36 in ?? Mar 19 23:32:22 unassigned-hostname named[11962]: #3 0x7f1319926f64 in ?? Mar 19 23:32:22 unassigned-hostname named[11962]: #4 0x7f13199292a4 in ?? Mar 19 23:32:22 unassigned-hostname named[11962]: #5 0x7f1319929b84 in ?? Mar 19 23:32:22 unassigned-hostname named[11962]: #6 0x7f13181dea23 in ?? Mar 19 23:32:22 unassigned-hostname named[11962]: #7 0x7f131750d4a4 in ?? Mar 19 23:32:22 unassigned-hostname named[11962]: #8 0x7f131695ed0f in ?? Mar 19 23:32:22 unassigned-hostname named[11962]: exiting (due to assertion failure) Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Main process exited, code=killed, status=6/ABRT Mar 19 23:32:22 unassigned-hostname proxy[12005]: rndc: connect failed: 127.0.0.1#953: connection refused Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Control process exited, code=exited status=1 Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Unit entered failed state. Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Failed with result 'signal'. Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Service hold-off time over, scheduling restart. Mar 19 23:32:22 unassigned-hostname systemd[1]: Stopped BIND Domain Name Server proxy for LDAP backend. Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Start request repeated too quickly. Mar 19 23:32:22 unassigned-hostname systemd[1]: Failed to start BIND Domain Name Server proxy for LDAP backend. Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Unit entered failed state. Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Failed with result 'signal'. Seems like this issue is already known: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007945
I imported the fixed upstream version. bind9 1:9.10.3.dfsg.P4-12.3+deb9u12A~4.4.8.202203210927
--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/bind9_9.10.3.dfsg.P4-12.3+deb9u10A~4.4.8.202111030617.dsc +++ apt/ucs_4.4-0-errata4.4-8/source/bind9_9.10.3.dfsg.P4-12.3+deb9u12A~4.4.8.202203210927.dsc @@ -1,4 +1,4 @@ -1:9.10.3.dfsg.P4-12.3+deb9u10A~4.4.8.202111030617 [Wed, 03 Nov 2021 06:24:45 +0100] Univention builddaemon <buildd@univention.de>: +1:9.10.3.dfsg.P4-12.3+deb9u12A~4.4.8.202203210927 [Mon, 21 Mar 2022 09:33:46 +0100] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 0001-Bug-22478-build-bind-with-libdb4.8 @@ -17,6 +17,20 @@ 0014-Bug-42389-Fix-crash-on-shutdown 0016-Bug-46526-Fix-memory-leak +1:9.10.3.dfsg.P4-12.3+deb9u12 [Sat, 19 Mar 2022 14:43:45 +0100] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Regression update for CVE-2021-25220: Properly initialize variables before + using them. (Closes: #1007945) + +1:9.10.3.dfsg.P4-12.3+deb9u11 [Fri, 18 Mar 2022 14:25:50 +0100] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2021-25220: + When using forwarders, bogus NS records supplied by, or via, those + forwarders may be cached and used by named if it needs to recurse for any + reason, causing it to obtain and pass on potentially incorrect answers. + 1:9.10.3.dfsg.P4-12.3+deb9u10 [Tue, 02 Nov 2021 00:05:57 +0100] Markus Koschany <apo@debian.org>: * Non-maintainer upload by the LTS team. <http://piuparts.knut.univention.de/4.4-8/#6268591054813287160>
OK: yaml OK: announce_errata OK: patch OK: piuparts ucr set dns/backend=ldap systemctl restart bind9.service journalctl -u univention-bind-ldap.service -u bind9.serivce dig @localhost -p 7777 $(dnsdomainname) axfr dig @localhost -p 53 $(dnsdomainname) axfr ucr set dns/backend=samba4 systemctl restart bind9.service journalctl -u bind9.serivce dig @localhost -p 53 $(dnsdomainname) axfr [4.4-8] 511ec0d3eb Bug #54566: bind9 1:9.10.3.dfsg.P4-12.3+deb9u12A~4.4.8.202203210927 doc/errata/staging/bind9.yaml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) [4.4-8] 799e8a8d17 Bug #54566: bind9 1:9.10.3.dfsg.P4-12.3+deb9u12A~4.4.8.202203210927 doc/errata/staging/bind9.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) [4.4-8] e7eae26bf6 Bug #54566: bind9 1:9.10.3.dfsg.P4-12.3+deb9u11A~4.4.8.202203190914 doc/errata/staging/bind9.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x1205>