Debian Bug report logs -
#599515
bind9: CVE-2010-3762
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Fri, 8 Oct 2010 10:33:01 UTC
Severity: grave
Tags: security
Fixed in versions bind9/1:9.7.2.dfsg.P2-1, 1:9.7.3.dfsg-1~squeeze2
Done: bertagaz@ptitcanardnoir.org
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#599515
; Package bind9
.
(Fri, 08 Oct 2010 10:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, LaMont Jones <lamont@debian.org>
.
(Fri, 08 Oct 2010 10:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: bind9
Severity: grave
Tags: security
Justification: user security hole
Two security issues have been reported in Bind:
http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html
* If BIND, acting as a DNSSEC validating server, has two or more
trust anchors configured in named.conf for the same zone (such as
example.com) and the response for a record in that zone from the
authoritative server includes a bad signature, the validating
server will crash while trying to validate that query.
-> This is CVE-2010-3762
* A flaw where the wrong ACL was applied was fixed. This flaw
allowed access to a cache via recursion even though the ACL
disallowed it.
-> No CVE ID is available so far, but this issue only affects 9.7.2,
so Squeeze/sid is not affected:
https://lists.isc.org/pipermail/bind-announce/2010-September/000655.html
Cheers,
Moritz
-- System Information:
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Reply sent
to LaMont Jones <lamont@debian.org>
:
You have taken responsibility.
(Fri, 08 Oct 2010 10:51:08 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug acknowledged by developer.
(Fri, 08 Oct 2010 10:51:08 GMT) (full text, mbox, link).
Message #10 received at 599515-done@bugs.debian.org (full text, mbox, reply):
On Fri, Oct 08, 2010 at 12:30:03PM +0200, Moritz Muehlenhoff wrote:
> Package: bind9
> Severity: grave
> Tags: security
> Justification: user security hole
> Two security issues have been reported in Bind:
> http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html
> -> No CVE ID is available so far, but this issue only affects 9.7.2,
> so Squeeze/sid is not affected:
Nor will it affect Debian, since I won't be uploading the affected version.
lamont
Did not alter fixed versions and reopened.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 08 Oct 2010 11:24:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#599515
; Package bind9
.
(Fri, 08 Oct 2010 11:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <muehlenhoff@univention.de>
:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>
.
(Fri, 08 Oct 2010 11:30:03 GMT) (full text, mbox, link).
Message #17 received at 599515@bugs.debian.org (full text, mbox, reply):
reopen 599515
thanks
Am Freitag 08 Oktober 2010 12:48:15 schrieb LaMont Jones:
> On Fri, Oct 08, 2010 at 12:30:03PM +0200, Moritz Muehlenhoff wrote:
> > Package: bind9
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > Two security issues have been reported in Bind:
> > http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html
> > -> No CVE ID is available so far, but this issue only affects 9.7.2,
> > so Squeeze/sid is not affected:
>
> Nor will it affect Debian, since I won't be uploading the affected version.
There are _two_ issues, one of which affects sid/squeeze; CVE-2010-3752.
Reopening.
Cheers,
Moritz
--
Moritz Mühlenhoff muehlenhoff@univention.de
Open Source Software Engineer and Consultant
Univention GmbH Linux for Your Business fon: +49 421 22 232- 0
Mary-Somerville-Str.1 28359 Bremen fax: +49 421 22 232-99
http://www.univention.de
Information forwarded
to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#599515
; Package bind9
.
(Sun, 31 Oct 2010 20:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>
.
(Sun, 31 Oct 2010 20:06:04 GMT) (full text, mbox, link).
Message #22 received at 599515@bugs.debian.org (full text, mbox, reply):
On Fri, Oct 08, 2010 at 01:18:10PM +0200, Moritz Mühlenhoff wrote:
> reopen 599515
> thanks
>
> Am Freitag 08 Oktober 2010 12:48:15 schrieb LaMont Jones:
> > On Fri, Oct 08, 2010 at 12:30:03PM +0200, Moritz Muehlenhoff wrote:
> > > Package: bind9
> > > Severity: grave
> > > Tags: security
> > > Justification: user security hole
> > > Two security issues have been reported in Bind:
> > > http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html
> > > -> No CVE ID is available so far, but this issue only affects 9.7.2,
> > > so Squeeze/sid is not affected:
> >
> > Nor will it affect Debian, since I won't be uploading the affected version.
>
> There are _two_ issues, one of which affects sid/squeeze; CVE-2010-3752.
*ping*
Cheers,
Moritz
Bug Marked as fixed in versions bind9/1:9.7.2.dfsg.P2-1.
Request was from LaMont Jones <lamont@debian.org>
to control@bugs.debian.org
.
(Fri, 26 Nov 2010 12:12:03 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug#599515.
(Fri, 03 Dec 2010 15:57:05 GMT) (full text, mbox, link).
Message #27 received at 599515-submitter@bugs.debian.org (full text, mbox, reply):
Hi,
> > > Nor will it affect Debian, since I won't be uploading the affected version.
> >
> > There are _two_ issues, one of which affects sid/squeeze; CVE-2010-3752.
No, CVE-2010-37_6_2 :)
As maintainer marked, it's fixed in unstable. Usually, we should pick it up from
unstable and make smallest patch for squeeze, however - upstream also released
BIND 9.7.2-P3 that has at least 3 security fixes. CVE-2010-3613, CVE-2010-3614
and CVE-2010-3615.
So there is a choise - make all cherry-pick patch for squeeze or push BIND 9.7.2-P3
to squeeze. I think pushing new release is better because it can reduce difference
with upstream.
--
Regards,
Hideki Yamane henrich @ debian.or.jp/org
http://wiki.debian.org/HidekiYamane
Changed Bug title to 'bind9: CVE-2010-3762' from 'bind9: CVE-2010-3752'
Request was from Hideki Yamane <henrich@debian.or.jp>
to control@bugs.debian.org
.
(Sat, 04 Dec 2010 02:21:05 GMT) (full text, mbox, link).
Reply sent
to bertagaz@ptitcanardnoir.org
:
You have taken responsibility.
(Wed, 03 Aug 2011 09:06:28 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug acknowledged by developer.
(Wed, 03 Aug 2011 09:06:30 GMT) (full text, mbox, link).
Message #34 received at 599515-done@bugs.debian.org (full text, mbox, reply):
Version: 1:9.7.3.dfsg-1~squeeze2
Closing this bug, as both issues seems to be fixed.
See http://security-tracker.debian.org/tracker/CVE-2010-3762 and
http://security-tracker.debian.org/tracker/DSA-2130-1
bert.
Message sent on
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug#599515.
(Wed, 03 Aug 2011 09:06:45 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 01 Sep 2011 07:33:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:17:42 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.