On Mon, Feb 25, 2013 at 08:29:10AM -0700, LaMont Jones wrote: > On Sun, Feb 24, 2013 at 11:53:01AM +0000, Dominic Hargreaves wrote: > > On Mon, Jan 28, 2013 at 07:37:03AM +0100, Moritz Muehlenhoff wrote: > > Given these, I am not convinced that this should be RC for wheezy. > > How about a NEWS item drawing attention to the issue and workaround, > > and a downgrade to important? > > Agreed
Attached is a proposed trivial patch. Please feel free to reuse/mangle as you like, and let me know if an NMU would be appropriate. Not tagging patch, because releasing this fix would only justify lowering the severity, not closing the bug. Thanks, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
>From 84207ccd05f26bd7359c16b27cc0a5501b1e03ca Mon Sep 17 00:00:00 2001 From: Dominic Hargreaves <d...@earth.li> Date: Wed, 27 Feb 2013 00:38:11 +0000 Subject: [PATCH] Add NEWS item to draw attention to CVE-2012-5689 and the recommended workaround. See #699145 --- debian/bind9.NEWS | 18 ++++++++++++++++++ debian/changelog | 8 ++++++++ 2 files changed, 26 insertions(+) diff --git a/debian/bind9.NEWS b/debian/bind9.NEWS index d235da6..eb041ab 100644 --- a/debian/bind9.NEWS +++ b/debian/bind9.NEWS @@ -1,3 +1,21 @@ +bind9 (1:9.8.4.dfsg.P1-5.1) unstable; urgency=low + + This version of bind9 contains a known security flaw, CVE-2012-5689, + affecting a comparatively rare configuration involving DNS64 and + Response Policy Zones. The flaw could cause the server to terminate + with an assertion failure when processing queries. There is no + production-quality fix for this issue yet, but a complete and effective + workaround is available: + + If using DNS64 and Response Policy Zones together, make sure the RPZ + contains a AAAA rewrite rule for every A rewrite rule. If the RPZ + provides a AAAA answer without the assistance of DNS64, the bug is not + triggered. + + For more information, please see <https://kb.isc.org/article/AA-00855>. + + -- Dominic Hargreaves <d...@earth.li> Wed, 27 Feb 2013 00:32:20 +0000 + bind9 (1:9.4.0-1) experimental; urgency=low As of bind 9.4, allow-query-cache and allow-recursion default to the diff --git a/debian/changelog b/debian/changelog index c48d535..d89a7a7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +bind9 (1:9.8.4.dfsg.P1-5.1) UNRELEASED; urgency=low + + * Non-maintainer upload. + * Add NEWS item to draw attention to CVE-2012-5689 and the recommended + workaround. See #699145 + + -- Dominic Hargreaves <d...@earth.li> Wed, 27 Feb 2013 00:32:20 +0000 + bind9 (1:9.8.4.dfsg.P1-5) unstable; urgency=low [LaMont Jones] -- 1.7.10.4
