Your message dated Sun, 28 Oct 2012 23:16:32 +0100
with message-id <20121028221632.ga21...@spike.0x539.de>
and subject line fixed in 9.8.1.dfsg.P1-4.3
has caused the Debian Bug report #690142,
regarding remote named DoS on recursor (CVE-2012-5166)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
690142: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690142
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: bind9
Tags: security
Severity: grave
A security relevant bug on all versions of bind9 has been discovered. Only
recursive servers are vulnerable. To mitigate the effects of a possible
attack it should be sufficient to set "minimal-responses yes;" in the
global "options {}" section.
As information on that bug already leaked (and even got mailed to
full-disclosure by Mandriva), I am reporting to the Debian bugtracker.
See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166 and
https://kb.isc.org/article/AA-00801 for details.
best regards,
Adi Kriegisch
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 9.8.1.dfsg.P1-4.3
NMU diff as attached.
diff -u bind9-9.8.1.dfsg.P1/debian/changelog
bind9-9.8.1.dfsg.P1/debian/changelog
--- bind9-9.8.1.dfsg.P1/debian/changelog
+++ bind9-9.8.1.dfsg.P1/debian/changelog
@@ -1,3 +1,16 @@
+bind9 (1:9.8.1.dfsg.P1-4.3) unstable; urgency=medium
+
+ [ Philipp Kern ]
+ * Non-maintainer upload.
+
+ [ Marc Deslauriers ]
+ * SECURITY UPDATE: denial of service via specific combinations of RDATA
+ - bin/named/query.c: fix logic
+ - Patch backported from 9.8.3-P4
+ - CVE-2012-5166
+
+ -- Philipp Kern <pk...@debian.org> Sun, 28 Oct 2012 20:28:11 +0100
+
bind9 (1:9.8.1.dfsg.P1-4.2) unstable; urgency=high
* Non-maintainer upload by the Security Team.
only in patch2:
unchanged:
--- bind9-9.8.1.dfsg.P1.orig/bin/named/query.c
+++ bind9-9.8.1.dfsg.P1/bin/named/query.c
@@ -1137,13 +1137,6 @@
mname = NULL;
}
- /*
- * If the dns_name_t we're looking up is already in the message,
- * we don't want to trigger the caller's name replacement logic.
- */
- if (name == mname)
- mname = NULL;
-
*mnamep = mname;
CTRACE("query_isduplicate: false: done");
@@ -1341,6 +1334,7 @@
if (dns_rdataset_isassociated(rdataset) &&
!query_isduplicate(client, fname, type, &mname)) {
if (mname != NULL) {
+ INSIST(mname != fname);
query_releasename(client, &fname);
fname = mname;
} else
@@ -1401,11 +1395,13 @@
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_a, &mname)) {
- if (mname != NULL) {
- query_releasename(client, &fname);
- fname = mname;
- } else
- need_addname = ISC_TRUE;
+ if (mname != fname) {
+ if (mname != NULL) {
+ query_releasename(client,
&fname);
+ fname = mname;
+ } else
+ need_addname = ISC_TRUE;
+ }
ISC_LIST_APPEND(fname->list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL &&
@@ -1444,11 +1440,13 @@
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_aaaa, &mname)) {
- if (mname != NULL) {
- query_releasename(client, &fname);
- fname = mname;
- } else
- need_addname = ISC_TRUE;
+ if (mname != fname) {
+ if (mname != NULL) {
+ query_releasename(client,
&fname);
+ fname = mname;
+ } else
+ need_addname = ISC_TRUE;
+ }
ISC_LIST_APPEND(fname->list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL &&
@@ -1960,22 +1958,24 @@
crdataset->type == dns_rdatatype_aaaa) {
if (!query_isduplicate(client, fname, crdataset->type,
&mname)) {
- if (mname != NULL) {
- /*
- * A different type of this name is
- * already stored in the additional
- * section. We'll reuse the name.
- * Note that this should happen at most
- * once. Otherwise, fname->link could
- * leak below.
- */
- INSIST(mname0 == NULL);
-
- query_releasename(client, &fname);
- fname = mname;
- mname0 = mname;
- } else
- need_addname = ISC_TRUE;
+ if (mname != fname) {
+ if (mname != NULL) {
+ /*
+ * A different type of this
name is
+ * already stored in the
additional
+ * section. We'll reuse the
name.
+ * Note that this should happen
at most
+ * once. Otherwise,
fname->link could
+ * leak below.
+ */
+ INSIST(mname0 == NULL);
+
+ query_releasename(client,
&fname);
+ fname = mname;
+ mname0 = mname;
+ } else
+ need_addname = ISC_TRUE;
+ }
ISC_LIST_UNLINK(cfname.list, crdataset, link);
ISC_LIST_APPEND(fname->list, crdataset, link);
added_something = ISC_TRUE;
signature.asc
Description: Digital signature
--- End Message ---
