Package: bind9 Version: 1:9.18.28-1~deb12u2 Severity: important Tags: upstream X-Debbugs-Cc: [email protected]
Dear Maintainer, After a bookworm security update to 9.18.28, dynamic DNS updates using SIG(0) authentication fail. Dynamic updates worked up to the previous version. (TSIG/HMAC-authenticated updates are not affected, only the SIG(0) public-key authentication mechanism.) nsupdate reports REFUSED and the journal shows the following (IP and domain edited): Jul 31 08:22:01 ns named[61051]: update-security: error: client @0x7f0c58c51168 127.0.0.1#49416: update 'xxx.notcom.org/IN' denied This appears to be due to a security "fix" from upstream. The release notes at <https://downloads.isc.org/isc/bind9/9.18.28/doc/arm/html/notes.html> include the following entry: Validating DNS messages signed using the SIG(0) protocol (RFC 2931) could cause excessive CPU load, leading to a denial-of-service condition. Support for SIG(0) message validation was removed from this version of named. (CVE-2024-1975) [GL #4480] An actual mitigation for CVE-2024-1975 is included in the 9.20 branch, but as shown above the "fix" for the 9.18 branch was the complete removal of SIG(0) support in a 0.0.1 release. (In other words, 9.20.0 has SIG(0) support as before but 9.18 branch doesn't from 9.18.28 onward.) The relevant upstream change is <https://github.com/isc-projects/bind9/commit/bef3d2cca3552100bbe44790c8c1a4f5bef06798>. After reverting this commit and rebuilding, SIG(0) works again but obviously with the resource-exhaustion vulnerability again present. A feature removal of this magnitude is very unexpected for a minor security/patch release. That said, if upstream is not inclined to backport the full mitigation from 9.20 to 9.18, options appear to be limited. Since SIG(0) is probably used by relatively few installations, perhaps bringing 9.20 to bookworm-backports would be the least-bad alternative here? -- System Information: Debian Release: 12.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.15.0-107-generic (SMP w/2 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages bind9 depends on: ii adduser 3.134 ii bind9-libs 1:9.18.28-1~deb12u2 ii bind9-utils 1:9.18.28-1~deb12u2 ii debconf [debconf-2.0] 1.5.82 ii dns-root-data 2024041801~deb12u1 ii init-system-helpers 1.65.2 ii iproute2 6.1.0-3 ii libc6 2.36-9+deb12u7 ii libcap2 1:2.66-4 ii libfstrm0 0.6.1-1 ii libjemalloc2 5.3.0-1 ii libjson-c5 0.16-2 ii liblmdb0 0.9.24-1 ii libmaxminddb0 1.7.1-1 ii libnghttp2-14 1.52.0-1+deb12u1 ii libprotobuf-c1 1.4.1-1+b1 ii libssl3 3.0.13-1~deb12u1 ii libsystemd0 252.26-1~deb12u2 ii libuv1 1.44.2-1+deb12u1 ii libxml2 2.9.14+dfsg-1.3~deb12u1 ii netbase 6.4 ii sysvinit-utils [lsb-base] 3.06-4 ii zlib1g 1:1.2.13.dfsg-1 bind9 recommends no packages. Versions of packages bind9 suggests: pn bind-doc <none> ii bind9-dnsutils [dnsutils] 1:9.18.28-1~deb12u2 pn resolvconf <none> pn ufw <none> -- Configuration Files: /etc/bind/db.0 changed [not included] /etc/bind/named.conf changed [not included] /etc/bind/named.conf.local changed [not included] /etc/bind/named.conf.options changed [not included] -- no debconf information
