Re: Bug#690569: Bug#690142: remote named DoS on recursor (CVE-2012-5166) and Bug#690569 (DNS wildcards fail to resolve with DNSSEC enabled)

2012-10-18 Thread Michael Gilbert 
On Wed, Oct 17, 2012 at 10:22 PM, Matthew Grant wrote:
 On Wed, Oct 17, 2012 at 1:57 PM, Michael Gilbert
 No.  We're in the freeze now.  Fixes need to be backported.


 If backporting a fix is not possible with the certainty of no introduced
 bugs,  we have no choice.

 Debian Bind9 cannot ship with a basic DNS protocol handling error. As it
 stands it is severely broken in the resolver.  DNSSEC on the Internet is now
 a must.

Do a diff (on the 9.8 tarballs), and try to isolate the code fixing
this problem.  You seem to have a lot of interest in this, so try to
spend some time looking at it.

 My case is put.  Could the security team please help to determine what to
 do.

If you want to bump the upstream version, that is the release team's
call.  You should ask them.

Best wishes,
Mike


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CANTw=mpf6c0ygl9oxurdw47bgcgqqutvinqspeexpkku9hd...@mail.gmail.com

Re: Bug#690569: Bug#690142: remote named DoS on recursor (CVE-2012-5166) and Bug#690569 (DNS wildcards fail to resolve with DNSSEC enabled)

2012-10-17 Thread Matthew Grant 
On Wed, Oct 17, 2012 at 1:57 PM, Michael Gilbert mgilb...@debian.orgwrote:

 On Tue, Oct 16, 2012 at 6:49 PM, Matthew Grant wrote:
  Can Bug #690569 (DNS wildcards fail to resolve with DNSsec enabled -
 breaks
  RFC 4035)be reclassified as grave, or at least Important severity?


You implied a bug severity increase.  Its now at important.


 
  We  need to get something done about this one.  Having to turn off DNSSEC
  validation to get correct resolution behaviour is not good for security
 re
  DNS cache poisoning  attacks, which is why DNSSEC was implemented in DNS.

 I did a diff between 9.6-R5 and -R6 and extracted the parts seeming to
 relate to wildcard handling.  Someone will have to look at whether
 those are the right changes and if they're complete, and then port it
 to the current version.  See attached.


Checked diff.  Its looks a mess.  Have you compiled bind9 package and
checked that it handles wiildcard query?

I am not confident that data structures are handled correctly.  (Used to be
professional router C programmer, and have extensive kernel patch
experience)

Could someone on the security team who knows bind9 look at this please to
see if they can patch bind9 9.8.1.dfsg-4.2 and 9.7.3 (squeeze)?


  Also, to resolve this, is it alright to NMU Bind 9.8.4 (latest 9.8.x)
  please. Lamount Jones, it would be good if you could do this please?
  Does
  not look that hard.  Have looked in bind9 package git.

 No.  We're in the freeze now.  Fixes need to be backported.


If backporting a fix is not possible with the certainty of no introduced
bugs,  we have no choice.

Debian Bind9 cannot ship with a basic DNS protocol handling error. As it
stands it is severely broken in the resolver.  DNSSEC on the Internet is
now a must.

ISC have been diligent in backporting fixes to their 9.8.x minor version
stream.  There are only one or 2 new features, and I believe 1 or 2
configuration changes that are backwards compatible Consequently Bind 9.8.4
(or 9.7.7) is mostly coherent with Debian's policy of back porting fixes.
(ISC really know their own data structures, but also unfortunately do not
make their VCS publicly available, only release complete tarballs, so
finding the 100% correct patch can be a major problem.)  I believe a policy
exception is possible in this case if needed, given that bind9 is such an
important piece of software.

My case is put.  Could the security team please help to determine what to
do.

Regards,

Matthew Grant