Your message dated Sat, 27 May 2017 12:32:09 +0000 with message-id <e1deat8-000irs...@fasolo.debian.org> and subject line Bug#860225: fixed in bind9 1:9.9.5.dfsg-9+deb8u11 has caused the Debian Bug report #860225, regarding bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 860225: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860225 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: bind9 Version: 1:9.9.5.dfsg-9 Severity: grave Tags: patch upstream security fixed-upstream Hi, the following vulnerability was published for bind9. CVE-2017-3137[0]: |A response packet can cause a resolver to terminate when processing an |answer containing a CNAME or DNAME If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-3137 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3137 [1] https://kb.isc.org/article/AA-01466 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)
--- End Message ---
--- Begin Message ---Source: bind9 Source-Version: 1:9.9.5.dfsg-9+deb8u11 We believe that the bug you reported is fixed in the latest version of bind9, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 860...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated bind9 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 11 May 2017 08:39:19 +0200 Source: bind9 Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-90 libdns100 libisc95 liblwres90 libisccc90 libisccfg90 dnsutils lwresd libbind-export-dev libdns-export100 libdns-export100-udeb libisc-export95 libisc-export95-udeb libisccfg-export90 libisccfg-export90-udeb libirs-export91 libirs-export91-udeb Architecture: all source Version: 1:9.9.5.dfsg-9+deb8u11 Distribution: jessie-security Urgency: high Maintainer: LaMont Jones <lam...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 860224 860225 860226 Description: bind9 - Internet Domain Name Server bind9-doc - Documentation for BIND bind9-host - Version of 'host' bundled with BIND 9.X bind9utils - Utilities for BIND dnsutils - Clients provided with BIND host - Transitional package libbind-dev - Static Libraries and Headers used by BIND libbind-export-dev - Development files for the exported BIND libraries libbind9-90 - BIND9 Shared Library used by BIND libdns-export100 - Exported DNS Shared Library libdns-export100-udeb - Exported DNS library for debian-installer (udeb) libdns100 - DNS Shared Library used by BIND libirs-export91 - Exported IRS Shared Library libirs-export91-udeb - Exported IRS library for debian-installer (udeb) libisc-export95 - Exported ISC Shared Library libisc-export95-udeb - Exported ISC library for debian-installer (udeb) libisc95 - ISC Shared Library used by BIND libisccc90 - Command Channel Library used by BIND libisccfg-export90 - Exported ISC CFG Shared Library libisccfg-export90-udeb - Exported ISC CFG library for debian-installer (udeb) libisccfg90 - Config File Handling Library used by BIND liblwres90 - Lightweight Resolver Library used by BIND lwresd - Lightweight Resolver Daemon Changes: bind9 (1:9.9.5.dfsg-9+deb8u11) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Dns64 with "break-dnssec yes;" can result in a assertion failure. (CVE-2017-3136) (Closes: #860224) * Prerequisite for CVE-2017-3137 cherry-picked from upstream change #4190. If not cherry-picking this change the fix for CVE-2017-3137 can cause an assertion failure to appear in name.c. * Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures (CVE-2017-3137) (Closes: #860225) * Reimplement: Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures. (CVE-2017-3137) * Fix regression introduced when handling CNAME to referral below the current domain * 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138) (Closes: #860226) Checksums-Sha1: f2d1670569683e593fda739666c147329f5bd654 3620 bind9_9.9.5.dfsg-9+deb8u11.dsc 32677c500c750f041d5995b9083eee68d90efbf1 128840 bind9_9.9.5.dfsg-9+deb8u11.diff.gz 214a0dcba51e0fe40635299abf710dd099218a82 339460 bind9-doc_9.9.5.dfsg-9+deb8u11_all.deb 1400ac71c2c64cd2d778db3ff321d122aff7fe70 23892 host_9.9.5.dfsg-9+deb8u11_all.deb Checksums-Sha256: e00753c33208893e0862372f22b3aeb8a052b3e5aa7396b2e7faed57b24c2f4b 3620 bind9_9.9.5.dfsg-9+deb8u11.dsc cfa5fe637c27784bf9fb9a48e2fd0432248a76c0c9f8ce3da5b589dec5b45b81 128840 bind9_9.9.5.dfsg-9+deb8u11.diff.gz 2dcb870cfe718ebe3b04a12b372ffb3b6fc207d1c628e83e10707531a55a7f38 339460 bind9-doc_9.9.5.dfsg-9+deb8u11_all.deb a1965b7ec3429278b9cf5ff7e934a5a062c13aa1eab97138cf3c7dea57074fd2 23892 host_9.9.5.dfsg-9+deb8u11_all.deb Files: c1362de32d5501fff5eedf10636f4c57 3620 net optional bind9_9.9.5.dfsg-9+deb8u11.dsc 31d0ce9a68b9f001039b0412ca013645 128840 net optional bind9_9.9.5.dfsg-9+deb8u11.diff.gz 3f1ad3b3c06ffcfb724ea8d482a74a30 339460 doc optional bind9-doc_9.9.5.dfsg-9+deb8u11_all.deb da9567cf85ffe780c7fd950233751de5 23892 net standard host_9.9.5.dfsg-9+deb8u11_all.deb -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlkUCflfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EBvIQAJ1KN1yhzJUgmoEXscgfLTJjBw7bErLi ixL2HWCHoP9Hs98JwfXKKRm7yYtYbfxnLZ7zXaNo9VALrDaZj22dwamxMRQQbh2Z R96k7hGDCjLGKvccmCTTkv5NXLo/binqKC6UbOcZllhNK/KQssZLZ6yi8o0CccVr t+A5Z2jkSAFuQHKmychgHmuoVBTzlW3nk8M0WytjCG9mLvzBN+MOImWBu7weJtJB AgvwASkGI9mwIMo/AWDljZliwb6xOvqANjDoLYuswWYp1Ugf6F5OrSGqrHyhCT5w haP6s9LSSzImWBBBAtQ+lfqbABu1kVNlDBXySaDEXkQ0vL0AUGFA5PbtHhB14mzp /hIevKh4vYc60eLBwmA068oIJ8PjsSsDqj1vDmCOqe7wzVO6mrFL91vYpG4Ea/ab iRmKPrEVuNkvKCYLhglMFrxnpZMKRHPnbrEGXts51V0pf1t/bjsxInttVw57vFDT +BDKpH+yUjkHfFlcoyv4zqegL1zPrnMbSTYz0DfsZKpvlN9zw1qFbBEqWFhY1mYO t4gDmAscb/TUFRaI/iUe14njX0pImIdB1J0s6DMxJyoNouhaXoAMVg3KPSRdmu0W lpbhJjbs2f38TtfmUXghfQjJVjEPkTtbzUXtpfYc2/r5pD7T+UGaHYMO4jofgmaH 6cjt08XlDAg5 =/vrq -----END PGP SIGNATURE-----
--- End Message ---
