Your message dated Mon, 13 May 2019 21:17:13 +0000
with message-id <e1hqijt-00077o...@fasolo.debian.org>
and subject line Bug#927932: fixed in bind9 1:9.10.3.dfsg.P4-12.3+deb9u5
has caused the Debian Bug report #927932,
regarding bind9: CVE-2018-5743: Limiting simultaneous TCP clients is ineffective
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
927932: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927932
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: src:bind9
Severity: grave
Tags: security, upstream
CVE: CVE-2018-5743
Document version: 2.0
Posting date: 24 April 2019
Program impacted: BIND
Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6,
9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview
Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5.
Versions 9.13.0 -> 9.13.7 of the 9.13 development branch
are also affected. Versions prior to BIND 9.9.0 have not
been evaluated for vulnerability to CVE-2018-5743.
Severity: High
Exploitable: Remotely
Description:
By design, BIND is intended to limit the number of TCP clients
that can be connected at any given time. The number of allowed
connections is a tunable parameter which, if unset, defaults to
a conservative value for most servers. Unfortunately, the code
which was intended to limit the number of simultaneous connections
contains an error which can be exploited to grow the number of
simultaneous connections beyond this limit.
Impact:
By exploiting the failure to limit simultaneous TCP connections,
an attacker can deliberately exhaust the pool of file descriptors
available to named, potentially affecting network connections
and the management of files such as log files or zone journal
files.
In cases where the named process is not limited by OS-enforced
per-process limits, this could additionally potentially lead to
exhaustion of all available free file descriptors on that system.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
For more information on the Common Vulnerability Scoring System and
to obtain your specific environmental score please visit:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Workarounds:
None.
Active exploits:
No known deliberate exploits, but the situation may occur
accidentally on busy servers.
It is possible for operators to mistakenly believe that their
configured (or default) limit is sufficient for their typical
operations, when in fact it is not. Following an upgrade to a
version that effectively applies limits, named may deny connections
which were previously improperly permitted. Operators can monitor
their logs for rejected connections, keep an eye on "rndc status"
reports of simultaneous connections, or use other tools to monitor
whether the now-effective limits are causing problems for
legitimate clients. Should this be the case, increasing the value
of the tcp-clients setting in named.conf to an appropriate value
would be recommended.
Solution:
Upgrade to a version of BIND containing a fix for the ineffective
limits.
- BIND 9.11.6-P1
- BIND 9.12.4-P1
- BIND 9.14.1
BIND Supported Preview Edition is a special feature preview
branch of BIND provided to eligible ISC support customers.
- BIND 9.11.5-S6
- BIND 9.11.6-S1
Acknowledgements:
ISC would like to thank AT&T for helping us to discover this
issue.
Document revision history:
1.0 Advance Notification, 16 January 2019
1.1 Recall due to error in original fix, 17 January 2019
1.3 Replacement fix delivered to Advance Notification customers, 15
April 2019
1.4 Corrected Versions affected and Solution, 16 April 2019
1.5 Added reference to BIND 9.11.6-S1
2.0 Public disclosure, 24 April 2019
Related documents:
See our BIND 9 Security Vulnerability Matrix for a complete
listing of security vulnerabilities and versions affected.
Do you still have questions? Questions regarding this advisory
should go to security-offi...@isc.org. To report a new issue, please
encrypt your message using security-offi...@isc.org's PGP key which
can be found here:
https://www.isc.org/downloads/software-support-policy/openpgp-key
If you are unable to use encrypted email, you may also report new
issues at: https://www.isc.org/community/report-bug/.
Note:
ISC patches only currently supported versions. When possible we
indicate EOL versions affected. (For current information on which
versions are actively supported, please see
https://www.isc.org/downloads/.)
ISC Security Vulnerability Disclosure Policy:
Details of our current security advisory policy and practice can
be found in the ISC Software Defect and Security Vulnerability
Disclosure Policy.
Legal Disclaimer:
Internet Systems Consortium (ISC) is providing this notice on
an "AS IS" basis. No warranty or guarantee of any kind is expressed
in this notice and none should be implied. ISC expressly excludes
and disclaims any warranties regarding this notice or materials
referred to in this notice, including, without limitation, any
implied warranty of merchantability, fitness for a particular
purpose, absence of hidden defects, or of non-infringement. Your
use or reliance on this notice or materials referred to in this
notice is at your own risk. ISC may change this notice at any
time. A stand-alone copy or paraphrase of the text of this
document that omits the document URL is an uncontrolled copy.
Uncontrolled copies may lack important information, be out of
date, or contain factual errors.
--- End Message ---
--- Begin Message ---
Source: bind9
Source-Version: 1:9.10.3.dfsg.P4-12.3+deb9u5
We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 927...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <be...@debian.org> (supplier of updated bind9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 03 May 2019 22:34:35 +0200
Source: bind9
Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-140
libdns162 libirs141 libisc160 liblwres141 libisccc140 libisccfg140 dnsutils
lwresd libbind-export-dev libdns-export162 libdns-export162-udeb
libisc-export160 libisc-export160-udeb libisccfg-export140 libisccc-export140
libisccc-export140-udeb libisccfg-export140-udeb libirs-export141
libirs-export141-udeb
Architecture: source
Version: 1:9.10.3.dfsg.P4-12.3+deb9u5
Distribution: stretch-security
Urgency: high
Maintainer: Debian DNS Packaging <pkg-dns-de...@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <be...@debian.org>
Description:
bind9 - Internet Domain Name Server
bind9-doc - Documentation for BIND
bind9-host - Version of 'host' bundled with BIND 9.X
bind9utils - Utilities for BIND
dnsutils - Clients provided with BIND
host - Transitional package
libbind-dev - Static Libraries and Headers used by BIND
libbind-export-dev - Development files for the exported BIND libraries
libbind9-140 - BIND9 Shared Library used by BIND
libdns-export162 - Exported DNS Shared Library
libdns-export162-udeb - Exported DNS library for debian-installer (udeb)
libdns162 - DNS Shared Library used by BIND
libirs-export141 - Exported IRS Shared Library
libirs-export141-udeb - Exported IRS library for debian-installer (udeb)
libirs141 - DNS Shared Library used by BIND
libisc-export160 - Exported ISC Shared Library
libisc-export160-udeb - Exported ISC library for debian-installer (udeb)
libisc160 - ISC Shared Library used by BIND
libisccc-export140 - Command Channel Library used by BIND
libisccc-export140-udeb - Command Channel Library used by BIND (udeb)
libisccc140 - Command Channel Library used by BIND
libisccfg-export140 - Exported ISC CFG Shared Library
libisccfg-export140-udeb - Exported ISC CFG library for debian-installer (udeb)
libisccfg140 - Config File Handling Library used by BIND
liblwres141 - Lightweight Resolver Library used by BIND
lwresd - Lightweight Resolver Daemon
Closes: 922954 922955 927932
Changes:
bind9 (1:9.10.3.dfsg.P4-12.3+deb9u5) stretch-security; urgency=high
.
[ Marc Deslauriers (Ubuntu) ]
* CVE-2018-5743: limiting simultaneous TCP clients is ineffective.
Thanks to Marc Deslauriers of Ubuntu (Closes: #927932)
.
[ Ondřej Surý ]
* Sync Maintainer and Uploaders with unstable
* [CVE-2019-6465]: Zone transfer for DLZs are executed though not
permitted by ACLs. (Closes: #922955)
* [CVE-2018-5745]: Avoid assertion and thus causing named to
deliberately exit when a trust anchor's key is replaced with a key
which uses an unsupported algorithm. (Closes: #922954)
Checksums-Sha1:
6860272e873dc1832c650fd4297a10e07d8a79f7 3908
bind9_9.10.3.dfsg.P4-12.3+deb9u5.dsc
4e729f86198c8724c58a2e0dc695cc8be96f2a8a 98420
bind9_9.10.3.dfsg.P4-12.3+deb9u5.debian.tar.xz
505a434d946ea958238008ce240871e1eb1e9513 21618
bind9_9.10.3.dfsg.P4-12.3+deb9u5_amd64.buildinfo
Checksums-Sha256:
86ab6f642822821b115319f489a9b64d0b7b2b924a176677b536d5a373a1ec92 3908
bind9_9.10.3.dfsg.P4-12.3+deb9u5.dsc
0cb2d69f869c45b0ad65253dfce0ec1d850dc70a49eb14169d91b3a06fbb9047 98420
bind9_9.10.3.dfsg.P4-12.3+deb9u5.debian.tar.xz
bb104617c40823b776a4ac366eb78e295b11c5f83231602cbc6ad188ca411813 21618
bind9_9.10.3.dfsg.P4-12.3+deb9u5_amd64.buildinfo
Files:
65559b9d5844fc65327fe313b0e408dd 3908 net optional
bind9_9.10.3.dfsg.P4-12.3+deb9u5.dsc
ffa19a3fdd7bda1215cf1dadb3adc4c3 98420 net optional
bind9_9.10.3.dfsg.P4-12.3+deb9u5.debian.tar.xz
0d2a4d0a411005cc2291ac82c4ea5aef 21618 net optional
bind9_9.10.3.dfsg.P4-12.3+deb9u5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlzN8lsRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJMJrRAAgWzqfvqdAPWpi/aOL9y79BZRECTKMzn7
OoXDuBju8AbMO92Fs1hWbnTZeWJLxFp1Ht63WG9bmk7lkYzdWvB9OZvlmFmlOY6I
5gNNeSkT+0meW07in6KDZ+StXFrz0LwWDhYFKLKE187AzSK2Rr3ZIo43hFwI1Mif
KXPB4Oun/y1kC+LUJrPZiHfJSoYkBwFiwN+EKgk7JrFgl+1z1wANaeaJooAdUalF
5ICmd/P6X5zrfuMsmcqhCEJWg/zT9f15x+/cYCep+FBhWcFDqPUXlnl9r8USTb1J
d40FSf7Mr6OrCLBaaNBSff1GeIdh7+dBGRlW/Wtw6B6vPqBgT0+QKfY4kmXrjC74
Ryp4J5TvT8TO7F8ejkKVMIsH/OGhJqbJc4/4gmVH438e1Z2cJEn6ywDJN7Z8nhpk
lIRmrVlxj2j6pgxwnThCwxpnJAjuQc5ycbMiMbHSC6Y7vt3D0gqQElsWA8hHYcGc
gyvGeo9i0r1PIJq8U/65YcXgppxUH4L7C+u2Bn0fdQLSNjd+ndupbaQ5u9odqIKu
TxNKaBN+plryrbusLnniXERz0fNx0u4LqdjG8d9T8EkbF3oh2WKs+RAs7wQhcQaZ
7t+5ndumaLgx+/d6xfBERxmnvIc8dLdX49KNY56hbpdlHfYVR0CXUNyq1Vu3BvxO
8obm3n79Ix4=
=LFoK
-----END PGP SIGNATURE-----
--- End Message ---
