Bug 43362
| Summary: | bind9: Denial of service (4.1) | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Janek Walkenhorst <walkenhorst> |
| Component: | Security updates | Assignee: | Philipp Hahn <hahn> |
| Status: | CLOSED FIXED | QA Contact: | Arvid Requate <requate> |
| Severity: | normal | ||
| Priority: | P5 | CC: | hahn, requate |
| Version: | UCS 4.1 | Flags: | requate:
Patch_Available+
|
| Target Milestone: | UCS 4.1-4-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | ISV affected?: | ||
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | Security | |
| Max CVSS v3 score: | 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | ||
Upstream Debian package version 1:9.8.4.dfsg.P1-6+nmu2+deb7u14 fixes these issues. Additionally the patch for CVE-2016-8864 (Bug 42747) seems to cause a regression. That has been fixed too. repo_admin.py -U -r 4.1 -s errata4.1-4 -d wheezy -p bind9 # 1:9.8.4.dfsg.P1-6+nmu2+deb7u14 Package: bind9 Version: 1:9.8.4.dfsg.P1-6+nmu2.126.201702061148 Branch: ucs_4.1-0 Scope: errata4.1-4 r76427 | Bug #43362,Bug #28748,#29977: bind9 YAML bind9.yaml Verified: * upstream version imported and built * Univention patches applied * package update Ok (amd64) * Functional test Ok (deleted Samba DNS records, let samba_dnsupdate fix it) * Advisory Ok |
CVE-2016-9131 A crafted upstream response to an ANY query could cause an assertion failure. CVE-2016-9147 A crafted upstream response with self-contradicting DNSSEC data could cause an assertion failure. CVE-2016-9444 Specially-crafted upstream responses with a DS record could cause an assertion failure. These vulnerabilities predominantly affect DNS servers providing recursive service. Client queries to authoritative-only servers cannot trigger these assertion failures. These vulnerabilities are present whether or not DNSSEC validation is enabled in the server configuration.