Your message dated Thu, 18 Feb 2021 07:48:35 +0000 with message-id <e1lce39-0007or...@fasolo.debian.org> and subject line Bug#983004: fixed in bind9 1:9.16.12-1 has caused the Debian Bug report #983004, regarding bind9: CVE-2020-8625 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 983004: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983004 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: bind9 Version: 1:9.16.11-2 Severity: grave Tags: security upstream fixed-upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1:9.11.5.P4+dfsg-5.1+deb10u2 Control: found -1 1:9.11.5.P4+dfsg-5.1 Control: fixed -1 1:9.11.5.P4+dfsg-5.1+deb10u3 Hi, The following vulnerability was published for bind9. CVE-2020-8625[0]: | BIND servers are vulnerable if they are running an affected version | and are configured to use GSS-TSIG features. In a configuration which | uses BIND's default settings the vulnerable code path is not exposed, | but a server can be rendered vulnerable by explicitly setting valid | values for the tkey-gssapi-keytab or tkey-gssapi- | credentialconfiguration options. Although the default configuration is | not vulnerable, GSS-TSIG is frequently used in networks where BIND is | integrated with Samba, as well as in mixed-server environments that | combine BIND servers with Active Directory domain controllers. The | most likely outcome of a successful exploitation of the vulnerability | is a crash of the named process. However, remote code execution, while | unproven, is theoretically possible. Affects: BIND 9.5.0 -> | 9.11.27, 9.12.0 -> 9.16.11, and versions BIND 9.11.3-S1 -> | 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview | Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17 | development branch If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8625 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8625 [1] https://kb.isc.org/v1/docs/cve-2020-8625 [2] https://gitlab.isc.org/isc-projects/bind9/commit/b04cb88462863d762093760ffcfe1946200e30f5 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: bind9 Source-Version: 1:9.16.12-1 Done: Ondřej Surý <ond...@debian.org> We believe that the bug you reported is fixed in the latest version of bind9, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 983...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ondřej Surý <ond...@debian.org> (supplier of updated bind9 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 18 Feb 2021 08:13:58 +0100 Source: bind9 Architecture: source Version: 1:9.16.12-1 Distribution: unstable Urgency: high Maintainer: Debian DNS Team <team+...@tracker.debian.org> Changed-By: Ondřej Surý <ond...@debian.org> Closes: 983004 Changes: bind9 (1:9.16.12-1) unstable; urgency=high . * New upstream version 9.16.12 + [CVE-2020-8625]: Fix off-by-one bug in ISC SPNEGO implementation. (Closes: #983004) * Adjust the bind9-libs and bind9-dev packages for new upstream library names Checksums-Sha1: ac3527eb770a08a7f974ee095362f4e8e5beecaf 2992 bind9_9.16.12-1.dsc 4e75a4c9ffb905d7eaa389464f0f3418c94cb2e7 5017756 bind9_9.16.12.orig.tar.xz e7261896ff97242c06698da6bf9abb19e61c9dc6 77340 bind9_9.16.12-1.debian.tar.xz 9ad3cf9d40daebd3aa7313cde3a9e9c0ad6a7107 15113 bind9_9.16.12-1_amd64.buildinfo Checksums-Sha256: 40bc601f6ca701f9ad293f0c9f8db7952dedd773c03c5bbcf629348324d165e6 2992 bind9_9.16.12-1.dsc 9914af9311fd349cab441097898d94fb28d0bfd9bf6ed04fe1f97f042644da7f 5017756 bind9_9.16.12.orig.tar.xz e3a255242047d649bce8dfcf956ce79dd7d34ddd1ae429e942045135f3258160 77340 bind9_9.16.12-1.debian.tar.xz 420043b76dd1d42928e4bdb92bec4653b944dbbba24e7a0ddd4f5ac248396a1c 15113 bind9_9.16.12-1_amd64.buildinfo Files: 631e74530f08e56dcfb4c3d9c69c5958 2992 net optional bind9_9.16.12-1.dsc 61c545db393628152e5b2c957e8bf712 5017756 net optional bind9_9.16.12.orig.tar.xz f265e99a81e5a8ef0920e0853bcf4f95 77340 net optional bind9_9.16.12-1.debian.tar.xz 8c12cf3b34efd2c394c17cb9d61cc0e7 15113 net optional bind9_9.16.12-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAmAuFeRfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u WcKGNA/+MXNY5XyVBhdqDGdzJbkflTPVcKpgyWPjDAg2OhYAV5stmgwJaJVUgMdG BG2fUsHpVEZE56UmFwSdJHnd4pG6ycaU0K7YBY0pONkEw88HkGwBZHQ0ijdf4ueF CGBZ7VuFRA0++Gmk/ch3KKaNouPmJ9WaqqlOXCN8mBOT5lZeZ6JcxI5mHxLYtll9 eS9+wJ6oydx/lr1NIXEqA8vNfu5fzLLGiACC5WIYfp5XjbgjPeOYw3gnDOzKxkmL bPAJFnFGzwDDeDMqpGZfZpN+JutWGX54MbFpZBEgEy0hUBVn7k8rBUZkni/JRlnM UcA3l3GIAkOIy/MqcJA4ZdASDOADH7t3fBvRyTLl9Di/av6Qc15KDjlW7Aht2KQv ONtMVGAi7PCl80ja5ABqUAtD1OBu8Wz/UKzXRqcwDrTwn7R9QIE4dStEri/krasT NrTxMloJuBKQsNuGADqqbmTPFbHj1mcEZXvMhz3a2ZYb1ysJA03pWs/0k7nBe7WQ eNPzhA2VJLQKRXGM9b/X05EnVT8wjaLSc6+IFPCJQGwRACK9TpWCKeh8om/Ng3py 7FJZFerkQuIl2X4+rJtK982ftb+9IMX4t6V6yBTIlChecqh0mTPmTepW0ikEN/Xp rfhgvsGFKO4nO9ULdiQtJBc/olfgzm5jvN9EYF+ltTEmF3kquBw= =Uu1t -----END PGP SIGNATURE-----
--- End Message ---
