Univention Bugzilla – Bug 37247
bind9: Denial of service (3.2)
Last modified: 2015-08-07 12:46:16 CEST
CVE-2014-8500 Denial of service in delegation handling could lead to denial of service against named.
Quite a lot of changes are required for that, two new options are introduced: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=603a0e2637b35a2da820bc807f69bcf09c682dce https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=711e833921d3dd67df7515438e152bbfdb2c1249 https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=6cd340997bad88472dfd80b86192a57205ab1c8e The patch I obtained from diffing 1:9.8.4.dfsg.P1-6+nmu2+deb7u3 with the previous version didn't apply cleanly, so in the end we have a custom patch for this. Why is that, what's that guy talking about, you ask? It's because we have a custom bind9 version in UCS 3.x (1:9.8.0.P4-1) which is between squeeze (1:9.7.3....) and wheezy (1:9.8.4....). So either we adjust the patch to fit our version (which is possible, I assume) or we backport the wheezy version from UCS 4.0 to errata3.2-5 (and ES 3.1).
* Denial of service via crafted packet due to error in handling TKEY queries triggering a REQUIRE assertion failure (CVE-2015-5477)
I have cherry picked bind9 9.8.4-P1 from errata4.0-2 to errata3.2-6 but proper testing remains to be done. I've also listed all upstream changelogs in the Advisory: 2015-07-31-bind9.yaml: For the full list of changes from bind9 9.8.0-P4 to 9.8.4-P1 see: * https://kb.isc.org/article/AA-00446/81/BIND-9.8.1-Release-Notes.html * https://kb.isc.org/article/AA-00540/81/BIND-9.8.1-P1-Release-Notes.html * https://kb.isc.org/article/AA-00645/81/BIND-9.8.2-Release-Notes.html * https://kb.isc.org/article/AA-00670/81/BIND-9.8.3-Release-Notes.html * https://kb.isc.org/article/AA-00697/81/BIND-9.8.3-P1-Release-Notes.html * https://kb.isc.org/article/AA-00719/81/BIND-9.8.3-P2-Release-Notes.html * https://kb.isc.org/article/AA-00797/81/BIND-9.8.4-Release-Notes.html * https://kb.isc.org/article/AA-00830/81/BIND-9.8.4-P1-Release-Notes.html
Actually, the -P changelogs are included in the point update changelogs, so I removed them from the advisory.
Package update and Windows client DDNS update worked. I compared the syslog output of "named" during start and it looks ok. To fix update issues due to new (un)maintained binary packages I had to add to ucs_3.2-6_i386_dvd.txt: ============================================================== all/host_9.8.4.dfsg.P1-6+nmu2.111.201507311324_all.deb i386/libdns88_9.8.4.dfsg.P1-6+nmu2.111.201507311324_i386.deb i386/libisc84_9.8.4.dfsg.P1-6+nmu2.111.201507311324_i386.deb i386/libisccfg82_9.8.4.dfsg.P1-6+nmu2.111.201507311324_i386.deb ============================================================== and to ucs_3.2-6_amd64_dvd.txt: ============================================================== all/host_9.8.4.dfsg.P1-6+nmu2.111.201507311324_all.deb amd64/libdns88_9.8.4.dfsg.P1-6+nmu2.111.201507311324_amd64.deb amd64/libisc84_9.8.4.dfsg.P1-6+nmu2.111.201507311324_amd64.deb amd64/libisccfg82_9.8.4.dfsg.P1-6+nmu2.111.201507311324_amd64.deb ============================================================== Next we need to * check the result of the Jenkins tests with the new maintained packages * check update to UCS 4.0 with these new packages installed
Checked: * The maintained/unmaintained issue has been fixed, update worked from testing.univention.de * With the new packages installed the update to UCS 4.0-0 worked. The check with "dpkg -l | grep ^r" showed that no univention-* packages have been uninstalled, only some legacy packages (e.g. the libdns81, libisc81, libisccfg80) * Still waiting for the Jenkins test results.
Ok, UCS 3.2-6 Jenkins Tests with errata3.2-6-test look good.
Tests: OK Update: OK Advisory: OK
<http://errata.univention.de/ucs/3.2/350.html>