Univention Bugzilla – Bug 43362
bind9: Denial of service (4.1)
Last modified: 2017-02-15 14:57:45 CET
CVE-2016-9131 A crafted upstream response to an ANY query could cause an assertion failure. CVE-2016-9147 A crafted upstream response with self-contradicting DNSSEC data could cause an assertion failure. CVE-2016-9444 Specially-crafted upstream responses with a DS record could cause an assertion failure. These vulnerabilities predominantly affect DNS servers providing recursive service. Client queries to authoritative-only servers cannot trigger these assertion failures. These vulnerabilities are present whether or not DNSSEC validation is enabled in the server configuration.
Upstream Debian package version 1:9.8.4.dfsg.P1-6+nmu2+deb7u14 fixes these issues. Additionally the patch for CVE-2016-8864 (Bug 42747) seems to cause a regression. That has been fixed too.
repo_admin.py -U -r 4.1 -s errata4.1-4 -d wheezy -p bind9 # 1:9.8.4.dfsg.P1-6+nmu2+deb7u14 Package: bind9 Version: 1:9.8.4.dfsg.P1-6+nmu2.126.201702061148 Branch: ucs_4.1-0 Scope: errata4.1-4 r76427 | Bug #43362,Bug #28748,#29977: bind9 YAML bind9.yaml
Verified: * upstream version imported and built * Univention patches applied * package update Ok (amd64) * Functional test Ok (deleted Samba DNS records, let samba_dnsupdate fix it) * Advisory Ok
<http://errata.software-univention.de/ucs/4.1/393.html>