Bug#699145: bind9: CVE-2012-5689
On Wed, Feb 27, 2013 at 12:41:37AM +, Dominic Hargreaves wrote: On Mon, Feb 25, 2013 at 08:29:10AM -0700, LaMont Jones wrote: On Sun, Feb 24, 2013 at 11:53:01AM +, Dominic Hargreaves wrote: On Mon, Jan 28, 2013 at 07:37:03AM +0100, Moritz Muehlenhoff wrote: Given these, I am not convinced that this should be RC for wheezy. How about a NEWS item drawing attention to the issue and workaround, and a downgrade to important? Agreed Attached is a proposed trivial patch. Please feel free to reuse/mangle as you like, and let me know if an NMU would be appropriate. Not tagging patch, because releasing this fix would only justify lowering the severity, not closing the bug. Looks good to me. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699145: bind9: CVE-2012-5689
On Mon, Feb 25, 2013 at 08:29:10AM -0700, LaMont Jones wrote: On Sun, Feb 24, 2013 at 11:53:01AM +, Dominic Hargreaves wrote: On Mon, Jan 28, 2013 at 07:37:03AM +0100, Moritz Muehlenhoff wrote: Given these, I am not convinced that this should be RC for wheezy. How about a NEWS item drawing attention to the issue and workaround, and a downgrade to important? Agreed Attached is a proposed trivial patch. Please feel free to reuse/mangle as you like, and let me know if an NMU would be appropriate. Not tagging patch, because releasing this fix would only justify lowering the severity, not closing the bug. Thanks, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) From 84207ccd05f26bd7359c16b27cc0a5501b1e03ca Mon Sep 17 00:00:00 2001 From: Dominic Hargreaves d...@earth.li Date: Wed, 27 Feb 2013 00:38:11 + Subject: [PATCH] Add NEWS item to draw attention to CVE-2012-5689 and the recommended workaround. See #699145 --- debian/bind9.NEWS | 18 ++ debian/changelog |8 2 files changed, 26 insertions(+) diff --git a/debian/bind9.NEWS b/debian/bind9.NEWS index d235da6..eb041ab 100644 --- a/debian/bind9.NEWS +++ b/debian/bind9.NEWS @@ -1,3 +1,21 @@ +bind9 (1:9.8.4.dfsg.P1-5.1) unstable; urgency=low + + This version of bind9 contains a known security flaw, CVE-2012-5689, + affecting a comparatively rare configuration involving DNS64 and + Response Policy Zones. The flaw could cause the server to terminate + with an assertion failure when processing queries. There is no + production-quality fix for this issue yet, but a complete and effective + workaround is available: + + If using DNS64 and Response Policy Zones together, make sure the RPZ + contains a rewrite rule for every A rewrite rule. If the RPZ + provides a answer without the assistance of DNS64, the bug is not + triggered. + + For more information, please see https://kb.isc.org/article/AA-00855. + + -- Dominic Hargreaves d...@earth.li Wed, 27 Feb 2013 00:32:20 + + bind9 (1:9.4.0-1) experimental; urgency=low As of bind 9.4, allow-query-cache and allow-recursion default to the diff --git a/debian/changelog b/debian/changelog index c48d535..d89a7a7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +bind9 (1:9.8.4.dfsg.P1-5.1) UNRELEASED; urgency=low + + * Non-maintainer upload. + * Add NEWS item to draw attention to CVE-2012-5689 and the recommended +workaround. See #699145 + + -- Dominic Hargreaves d...@earth.li Wed, 27 Feb 2013 00:32:20 + + bind9 (1:9.8.4.dfsg.P1-5) unstable; urgency=low [LaMont Jones] -- 1.7.10.4
Bug#699145: bind9: CVE-2012-5689
On Sun, Feb 24, 2013 at 11:53:01AM +, Dominic Hargreaves wrote: On Mon, Jan 28, 2013 at 07:37:03AM +0100, Moritz Muehlenhoff wrote: Given these, I am not convinced that this should be RC for wheezy. How about a NEWS item drawing attention to the issue and workaround, and a downgrade to important? Agreed Note: I was unable to find any public upstream VCS for BIND 9 so was unable to easily find the relevant patch. Could the BIND 9 maintainers comment on whether they would consider including the patch? No plans to include it until a production quality patch is available, given how trivial and complete the workaround is. lamont -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699145: bind9: CVE-2012-5689
On Mon, Jan 28, 2013 at 07:37:03AM +0100, Moritz Muehlenhoff wrote: Package: bind9 Severity: grave Tags: security Justification: user security hole Please see https://kb.isc.org/article/AA-00855 for details. Hello, I'm providing a summary of the issue following my investigation as a non-bind9 developer: - a DoS (server crash with assertion failure) in a rare configuration involving both DNS64 and Response Policy Zones, when maintaining A rewrite rules but not rewrite rules - the workaround is to make sure the RPZ contains a rewrite rule for every A rewrite rule - there is no production-quality patch available upstream (but there is a patch in 9.8.5b1). However, the suggested workaround is a complete remedy for those who are using DNS64 in conjunction with RPZ, and is recommended in preference to running beta code in a production environment. Given these, I am not convinced that this should be RC for wheezy. How about a NEWS item drawing attention to the issue and workaround, and a downgrade to important? Note: I was unable to find any public upstream VCS for BIND 9 so was unable to easily find the relevant patch. Could the BIND 9 maintainers comment on whether they would consider including the patch? Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#699145: bind9: CVE-2012-5689
Package: bind9 Severity: grave Tags: security Justification: user security hole Please see https://kb.isc.org/article/AA-00855 for details. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org