Re: [Freeipa-users] bind-dynamicdb TKEY update
On 29.7.2015 06:30, Jorgen Lundman wrote: Hola! So with todays advisory: https://kb.isc.org/article/AA-01272 we finally get to test the procedure to patch and update here :) Are there any plans for the dynamic_db github to pull in the fix, or should I proceed with that step? For the record, dynamic_db repo is kind of obsolete because the API is being merged to upstream BIND (hopefully) and we are changing the API at the same time. I.e. not merging fixes to dynamic_db repo should make you nervous :-) See https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Patches#Futuredevelopment for further details. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] bind-dynamicdb TKEY update
Hello Jorgen, Given you ask on this list, I assume you are asking if this CVE is fixed in FreeIPA DNS feature which utilizes BIND. The answer is - it depends :-) As the bug itself is in BIND, it depends if the patch made it for given downstream platform. As for Fedora and/or RHEL, I checked with the BIND maintainer and the fix is there, live. You can check the tracking bug, which is now public: https://bugzilla.redhat.com/show_bug.cgi?id=1247361 HTH, Martin On 07/29/2015 06:41 AM, Jorgen Lundman wrote: Took a look at the diff while I was waiting: diff -rub bind-9.9.7-P1/lib/dns/tkey.c bind-9.9.7-P2/lib/dns/tkey.c --- bind-9.9.7-P1/lib/dns/tkey.c2015-06-18 07:48:03.0 +0900 +++ bind-9.9.7-P2/lib/dns/tkey.c2015-07-15 08:50:22.0 +0900 @@ -650,6 +650,7 @@ * Try the answer section, since that's where Win2000 * puts it. */ + name = NULL; if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname, dns_rdatatype_tkey, 0, name, tkeyset) != ISC_R_SUCCESS) { Sigh. All that work for one line. :) Lund Jorgen Lundman wrote: Hola! So with todays advisory: https://kb.isc.org/article/AA-01272 we finally get to test the procedure to patch and update here :) Are there any plans for the dynamic_db github to pull in the fix, or should I proceed with that step? Sincerely, Lund -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] bind-dynamicdb TKEY update
Hola! So with todays advisory: https://kb.isc.org/article/AA-01272 we finally get to test the procedure to patch and update here :) Are there any plans for the dynamic_db github to pull in the fix, or should I proceed with that step? Sincerely, Lund -- Jorgen Lundman | lund...@lundman.net Unix Administrator | +81 (0)90-5578-8500 (work) Shibuya-ku, Tokyo| +81 (0)80-2090-5800 (cell) Japan| +81 (0)3 -3375-1767 (home) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] bind-dynamicdb TKEY update
Took a look at the diff while I was waiting: diff -rub bind-9.9.7-P1/lib/dns/tkey.c bind-9.9.7-P2/lib/dns/tkey.c --- bind-9.9.7-P1/lib/dns/tkey.c2015-06-18 07:48:03.0 +0900 +++ bind-9.9.7-P2/lib/dns/tkey.c2015-07-15 08:50:22.0 +0900 @@ -650,6 +650,7 @@ * Try the answer section, since that's where Win2000 * puts it. */ + name = NULL; if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname, dns_rdatatype_tkey, 0, name, tkeyset) != ISC_R_SUCCESS) { Sigh. All that work for one line. :) Lund Jorgen Lundman wrote: Hola! So with todays advisory: https://kb.isc.org/article/AA-01272 we finally get to test the procedure to patch and update here :) Are there any plans for the dynamic_db github to pull in the fix, or should I proceed with that step? Sincerely, Lund -- Jorgen Lundman | lund...@lundman.net Unix Administrator | +81 (0)90-5578-8500 (work) Shibuya-ku, Tokyo| +81 (0)80-2090-5800 (cell) Japan| +81 (0)3 -3375-1767 (home) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project