Bug 54566 - bind9: Multiple issues (4.4)
bind9: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-8-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-19 09:20 CET by Quality Assurance
Modified: 2022-03-23 12:10 CET (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2022-03-19 09:20:28 CET
New Debian bind9 1:9.10.3.dfsg.P4-12.3+deb9u11A~4.4.8.202203190914 fixes:
This update addresses the following issue:
* The rules for acceptance of records into the cache have been tightened to  prevent the possibility of poisoning if forwarders send records outside the  configured bailiwick (CVE-2021-25220)
Comment 1 Quality Assurance univentionstaff 2022-03-19 10:02:10 CET
--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/bind9_9.10.3.dfsg.P4-12.3+deb9u10A~4.4.8.202111030617.dsc
+++ apt/ucs_4.4-0-errata4.4-8/source/bind9_9.10.3.dfsg.P4-12.3+deb9u11A~4.4.8.202203190914.dsc
@@ -1,4 +1,4 @@
-1:9.10.3.dfsg.P4-12.3+deb9u10A~4.4.8.202111030617 [Wed, 03 Nov 2021 06:24:45 +0100] Univention builddaemon <buildd@univention.de>:
+1:9.10.3.dfsg.P4-12.3+deb9u11A~4.4.8.202203190914 [Sat, 19 Mar 2022 09:21:20 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     0001-Bug-22478-build-bind-with-libdb4.8
@@ -17,6 +17,14 @@
     0014-Bug-42389-Fix-crash-on-shutdown
     0016-Bug-46526-Fix-memory-leak
 
+1:9.10.3.dfsg.P4-12.3+deb9u11 [Fri, 18 Mar 2022 14:25:50 +0100] Markus Koschany <apo@debian.org>:
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2021-25220:
+    When using forwarders, bogus NS records supplied by, or via, those
+    forwarders may be cached and used by named if it needs to recurse for any
+    reason, causing it to obtain and pass on potentially incorrect answers.
+
 1:9.10.3.dfsg.P4-12.3+deb9u10 [Tue, 02 Nov 2021 00:05:57 +0100] Markus Koschany <apo@debian.org>:
 
   * Non-maintainer upload by the LTS team.

<http://piuparts.knut.univention.de/4.4-8/#5984561836166019480>
Comment 2 Julia Bremer univentionstaff 2022-03-20 17:38:07 CET
4.4 and 5.0 upgrade tests are failing since the import of this security update:

I can see this in the logs: 

Mar 19 23:32:22 unassigned-hostname named[11962]: ../../../lib/dns/name.c:2487: REQUIRE((((dest) != ((void *)0)) && (((const isc__magic_t *)(dest))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n')))))) failed, back trace
Mar 19 23:32:22 unassigned-hostname named[11962]: #0 0x55b022fcc580 in ??
Mar 19 23:32:22 unassigned-hostname named[11962]: #1 0x7f13181ba9aa in ??
Mar 19 23:32:22 unassigned-hostname named[11962]: #2 0x7f13198a4f36 in ??
Mar 19 23:32:22 unassigned-hostname named[11962]: #3 0x7f1319926f64 in ??
Mar 19 23:32:22 unassigned-hostname named[11962]: #4 0x7f13199292a4 in ??
Mar 19 23:32:22 unassigned-hostname named[11962]: #5 0x7f1319929b84 in ??
Mar 19 23:32:22 unassigned-hostname named[11962]: #6 0x7f13181dea23 in ??
Mar 19 23:32:22 unassigned-hostname named[11962]: #7 0x7f131750d4a4 in ??
Mar 19 23:32:22 unassigned-hostname named[11962]: #8 0x7f131695ed0f in ??
Mar 19 23:32:22 unassigned-hostname named[11962]: exiting (due to assertion failure)
Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Main process exited, code=killed, status=6/ABRT
Mar 19 23:32:22 unassigned-hostname proxy[12005]: rndc: connect failed: 127.0.0.1#953: connection refused
Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Control process exited, code=exited status=1
Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Unit entered failed state.
Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Failed with result 'signal'.
Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Service hold-off time over, scheduling restart.
Mar 19 23:32:22 unassigned-hostname systemd[1]: Stopped BIND Domain Name Server proxy for LDAP backend.
Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Start request repeated too quickly.
Mar 19 23:32:22 unassigned-hostname systemd[1]: Failed to start BIND Domain Name Server proxy for LDAP backend.
Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Unit entered failed state.
Mar 19 23:32:22 unassigned-hostname systemd[1]: bind9.service: Failed with result 'signal'.


Seems like this issue is already known:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007945
Comment 3 Erik Damrose univentionstaff 2022-03-21 09:55:48 CET
I imported the fixed upstream version.
bind9 1:9.10.3.dfsg.P4-12.3+deb9u12A~4.4.8.202203210927
Comment 4 Quality Assurance univentionstaff 2022-03-21 10:59:49 CET
--- mirror/ftp/4.4/unmaintained/component/4.4-8-errata/source/bind9_9.10.3.dfsg.P4-12.3+deb9u10A~4.4.8.202111030617.dsc
+++ apt/ucs_4.4-0-errata4.4-8/source/bind9_9.10.3.dfsg.P4-12.3+deb9u12A~4.4.8.202203210927.dsc
@@ -1,4 +1,4 @@
-1:9.10.3.dfsg.P4-12.3+deb9u10A~4.4.8.202111030617 [Wed, 03 Nov 2021 06:24:45 +0100] Univention builddaemon <buildd@univention.de>:
+1:9.10.3.dfsg.P4-12.3+deb9u12A~4.4.8.202203210927 [Mon, 21 Mar 2022 09:33:46 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     0001-Bug-22478-build-bind-with-libdb4.8
@@ -17,6 +17,20 @@
     0014-Bug-42389-Fix-crash-on-shutdown
     0016-Bug-46526-Fix-memory-leak
 
+1:9.10.3.dfsg.P4-12.3+deb9u12 [Sat, 19 Mar 2022 14:43:45 +0100] Markus Koschany <apo@debian.org>:
+
+  * Non-maintainer upload by the LTS team.
+  * Regression update for CVE-2021-25220: Properly initialize variables before
+    using them. (Closes: #1007945)
+
+1:9.10.3.dfsg.P4-12.3+deb9u11 [Fri, 18 Mar 2022 14:25:50 +0100] Markus Koschany <apo@debian.org>:
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2021-25220:
+    When using forwarders, bogus NS records supplied by, or via, those
+    forwarders may be cached and used by named if it needs to recurse for any
+    reason, causing it to obtain and pass on potentially incorrect answers.
+
 1:9.10.3.dfsg.P4-12.3+deb9u10 [Tue, 02 Nov 2021 00:05:57 +0100] Markus Koschany <apo@debian.org>:
 
   * Non-maintainer upload by the LTS team.

<http://piuparts.knut.univention.de/4.4-8/#6268591054813287160>
Comment 5 Philipp Hahn univentionstaff 2022-03-23 06:19:01 CET
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

ucr set dns/backend=ldap
systemctl restart bind9.service
journalctl -u univention-bind-ldap.service -u bind9.serivce
dig @localhost -p 7777 $(dnsdomainname) axfr
dig @localhost -p 53 $(dnsdomainname) axfr

ucr set dns/backend=samba4
systemctl restart bind9.service
journalctl -u bind9.serivce
dig @localhost -p 53 $(dnsdomainname) axfr

[4.4-8] 511ec0d3eb Bug #54566: bind9 1:9.10.3.dfsg.P4-12.3+deb9u12A~4.4.8.202203210927
 doc/errata/staging/bind9.yaml | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

[4.4-8] 799e8a8d17 Bug #54566: bind9 1:9.10.3.dfsg.P4-12.3+deb9u12A~4.4.8.202203210927
 doc/errata/staging/bind9.yaml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

[4.4-8] e7eae26bf6 Bug #54566: bind9 1:9.10.3.dfsg.P4-12.3+deb9u11A~4.4.8.202203190914
 doc/errata/staging/bind9.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)