Your message dated Fri, 26 Apr 2019 09:18:38 +0000 with message-id <[email protected]> and subject line Bug#927932: fixed in bind9 1:9.11.5.P4+dfsg-4 has caused the Debian Bug report #927932, regarding bind9: CVE-2018-5743: Limiting simultaneous TCP clients is ineffective to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 927932: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927932 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: src:bind9 Severity: grave Tags: security, upstream CVE: CVE-2018-5743 Document version: 2.0 Posting date: 24 April 2019 Program impacted: BIND Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, 9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -> 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743. Severity: High Exploitable: Remotely Description: By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contains an error which can be exploited to grow the number of simultaneous connections beyond this limit. Impact: By exploiting the failure to limit simultaneous TCP connections, an attacker can deliberately exhaust the pool of file descriptors available to named, potentially affecting network connections and the management of files such as log files or zone journal files. In cases where the named process is not limited by OS-enforced per-process limits, this could additionally potentially lead to exhaustion of all available free file descriptors on that system. CVSS Score: 7.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Workarounds: None. Active exploits: No known deliberate exploits, but the situation may occur accidentally on busy servers. It is possible for operators to mistakenly believe that their configured (or default) limit is sufficient for their typical operations, when in fact it is not. Following an upgrade to a version that effectively applies limits, named may deny connections which were previously improperly permitted. Operators can monitor their logs for rejected connections, keep an eye on "rndc status" reports of simultaneous connections, or use other tools to monitor whether the now-effective limits are causing problems for legitimate clients. Should this be the case, increasing the value of the tcp-clients setting in named.conf to an appropriate value would be recommended. Solution: Upgrade to a version of BIND containing a fix for the ineffective limits. - BIND 9.11.6-P1 - BIND 9.12.4-P1 - BIND 9.14.1 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. - BIND 9.11.5-S6 - BIND 9.11.6-S1 Acknowledgements: ISC would like to thank AT&T for helping us to discover this issue. Document revision history: 1.0 Advance Notification, 16 January 2019 1.1 Recall due to error in original fix, 17 January 2019 1.3 Replacement fix delivered to Advance Notification customers, 15 April 2019 1.4 Corrected Versions affected and Solution, 16 April 2019 1.5 Added reference to BIND 9.11.6-S1 2.0 Public disclosure, 24 April 2019 Related documents: See our BIND 9 Security Vulnerability Matrix for a complete listing of security vulnerabilities and versions affected. Do you still have questions? Questions regarding this advisory should go to [email protected]. To report a new issue, please encrypt your message using [email protected]'s PGP key which can be found here: https://www.isc.org/downloads/software-support-policy/openpgp-key If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/community/report-bug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. (For current information on which versions are actively supported, please see https://www.isc.org/downloads/.) ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.
--- End Message ---
--- Begin Message ---Source: bind9 Source-Version: 1:9.11.5.P4+dfsg-4 We believe that the bug you reported is fixed in the latest version of bind9, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ondřej Surý <[email protected]> (supplier of updated bind9 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 26 Apr 2019 08:33:13 +0000 Source: bind9 Architecture: source Version: 1:9.11.5.P4+dfsg-4 Distribution: unstable Urgency: medium Maintainer: Debian DNS Team <[email protected]> Changed-By: Ondřej Surý <[email protected]> Closes: 927827 927932 927962 Changes: bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium . [ Bernhard Schmidt ] * AppArmor: Also add /var/lib/samba/bind-dns/dns/** (Closes: #927827) . [ Ondřej Surý ] * [CVE-2018-5743]: Limiting simultaneous TCP clients is ineffective (Closes: #927932) * Update symbols file for new symbol in libisc * Enable EDDSA again, but disable broken Ed448 support (Closes: #927962) Checksums-Sha1: 1518620ebadac8956d140d38a5da40628c89b798 4056 bind9_9.11.5.P4+dfsg-4.dsc 9c792c441040a214a1657161936016c4c8ed39d3 103424 bind9_9.11.5.P4+dfsg-4.debian.tar.xz 1a16bda35783571b6155fd0f40304cec35c88d99 19521 bind9_9.11.5.P4+dfsg-4_amd64.buildinfo Checksums-Sha256: 6d7155f0300229105b86d4579793f3185c146d67d1946b3ea97558b21ba04b33 4056 bind9_9.11.5.P4+dfsg-4.dsc 4e25ff9e6b2fc28b96050e3f221f39cc85008c8945a8a38bf8b3edc78e18fbe4 103424 bind9_9.11.5.P4+dfsg-4.debian.tar.xz c5b83416c21022767414b78c4ebc8e99e276c36f9ee3bcc5f4cacf7dee1f90ab 19521 bind9_9.11.5.P4+dfsg-4_amd64.buildinfo Files: dca09f33c9a24e426e94b75b515ac0e1 4056 net optional bind9_9.11.5.P4+dfsg-4.dsc a2ebc8f64a7397658c35c48e578a0508 103424 net optional bind9_9.11.5.P4+dfsg-4.debian.tar.xz a332ae8395a0ff00ab5853ec50c5e7b3 19521 net optional bind9_9.11.5.P4+dfsg-4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAlzCyOFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u WcI5/g//UF7vFm5oDq8WjN8aOFf6Iq7DXkzcH6xPKcGJYDcS5bN4ykOGWAluGai/ bVJbQxBe9vc9LPmPx8j/dwY3TJ6XKxD1j3PKyNaY0EAvLhlXwlSCrISh4px7R/wI 6GvP89qXLG62B96Mgz9OdFdA+RR/HM2kSrLj+pc2E38bxwpBUxAMeFkQMLofvhem F/zhqnSg3v3aLV6c/CRSvYuLW3dftybYc7Hbafv40RtsABFi6O+eMvbs6NPb1D1z lKhg/ShmX3WyLl439xAhkwlKTpZFIfn9Uu5002zaYXFxrhUsmPB8eknA47KLwFBc APYwyoALxrTdEjxLrJR6aIpAJWkm3uC2e8nv/rfU4LI0AlWCPGngTGdwoWnEWuqV M8L3ogkVwrcKXYITn2RTh3ZuCgCH39YiYftZuSrfmcYpg3R7Djuxm/5nuMatEJJ1 av21jo8iA+w4ZU1bWK7jcfP0BL6vKzH7hjlJh2LEwm38socYDtk6ZY3yV6ru9xHX /wcdFWme7Tc4MnFINIFZ9ohWAI0sz0fiN0xM/lR3kOA085awQ/Z4EtMXXsXXiDYa aaBlIMJ9tZbSv5Ivra0rJpqYcKWqxid0vGkohF6th6vC6k0ZIFWg7fhB/JZwB4C7 qX2zu9+SdK16GtIVEW5gfhdkY8fhwEYG8guD9l+PpPpnA+ncYco= =tJrB -----END PGP SIGNATURE-----
--- End Message ---
