Univention Bugzilla – Full Text Bug Listing |
Summary: | bind9: Denial of service (3.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Moritz Muehlenhoff <jmm> |
Component: | Security updates | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Janek Walkenhorst <walkenhorst> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 3.2-6-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Moritz Muehlenhoff
2014-12-09 06:08:54 CET
Quite a lot of changes are required for that, two new options are introduced: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=603a0e2637b35a2da820bc807f69bcf09c682dce https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=711e833921d3dd67df7515438e152bbfdb2c1249 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=6cd340997bad88472dfd80b86192a57205ab1c8e The patch I obtained from diffing 1:9.8.4.dfsg.P1-6+nmu2+deb7u3 with the previous version didn't apply cleanly, so in the end we have a custom patch for this. Why is that, what's that guy talking about, you ask? It's because we have a custom bind9 version in UCS 3.x (1:9.8.0.P4-1) which is between squeeze (1:9.7.3....) and wheezy (1:9.8.4....). So either we adjust the patch to fit our version (which is possible, I assume) or we backport the wheezy version from UCS 4.0 to errata3.2-5 (and ES 3.1). * Denial of service via crafted packet due to error in handling TKEY queries triggering a REQUIRE assertion failure (CVE-2015-5477) I have cherry picked bind9 9.8.4-P1 from errata4.0-2 to errata3.2-6 but proper testing remains to be done. I've also listed all upstream changelogs in the Advisory: 2015-07-31-bind9.yaml: For the full list of changes from bind9 9.8.0-P4 to 9.8.4-P1 see: * https://kb.isc.org/article/AA-00446/81/BIND-9.8.1-Release-Notes.html * https://kb.isc.org/article/AA-00540/81/BIND-9.8.1-P1-Release-Notes.html * https://kb.isc.org/article/AA-00645/81/BIND-9.8.2-Release-Notes.html * https://kb.isc.org/article/AA-00670/81/BIND-9.8.3-Release-Notes.html * https://kb.isc.org/article/AA-00697/81/BIND-9.8.3-P1-Release-Notes.html * https://kb.isc.org/article/AA-00719/81/BIND-9.8.3-P2-Release-Notes.html * https://kb.isc.org/article/AA-00797/81/BIND-9.8.4-Release-Notes.html * https://kb.isc.org/article/AA-00830/81/BIND-9.8.4-P1-Release-Notes.html Actually, the -P changelogs are included in the point update changelogs, so I removed them from the advisory. Package update and Windows client DDNS update worked. I compared the syslog output of "named" during start and it looks ok. To fix update issues due to new (un)maintained binary packages I had to add to ucs_3.2-6_i386_dvd.txt: ============================================================== all/host_9.8.4.dfsg.P1-6+nmu2.111.201507311324_all.deb i386/libdns88_9.8.4.dfsg.P1-6+nmu2.111.201507311324_i386.deb i386/libisc84_9.8.4.dfsg.P1-6+nmu2.111.201507311324_i386.deb i386/libisccfg82_9.8.4.dfsg.P1-6+nmu2.111.201507311324_i386.deb ============================================================== and to ucs_3.2-6_amd64_dvd.txt: ============================================================== all/host_9.8.4.dfsg.P1-6+nmu2.111.201507311324_all.deb amd64/libdns88_9.8.4.dfsg.P1-6+nmu2.111.201507311324_amd64.deb amd64/libisc84_9.8.4.dfsg.P1-6+nmu2.111.201507311324_amd64.deb amd64/libisccfg82_9.8.4.dfsg.P1-6+nmu2.111.201507311324_amd64.deb ============================================================== Next we need to * check the result of the Jenkins tests with the new maintained packages * check update to UCS 4.0 with these new packages installed Checked: * The maintained/unmaintained issue has been fixed, update worked from testing.univention.de * With the new packages installed the update to UCS 4.0-0 worked. The check with "dpkg -l | grep ^r" showed that no univention-* packages have been uninstalled, only some legacy packages (e.g. the libdns81, libisc81, libisccfg80) * Still waiting for the Jenkins test results. Ok, UCS 3.2-6 Jenkins Tests with errata3.2-6-test look good. Tests: OK Update: OK Advisory: OK |