Debian Bug report logs -
#808081
bind9: CVE-2015-8000: Responses with a malformed class attribute can trigger an assertion failure in db.c
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 15 Dec 2015 20:42:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version bind9/1:9.7.3.dfsg-1
Fixed in versions bind9/1:9.8.4.dfsg.P1-6+nmu2+deb7u8, bind9/1:9.9.5.dfsg-9+deb8u4, bind9/1:9.9.5.dfsg-12.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#808081
; Package src:bind9
.
(Tue, 15 Dec 2015 20:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, LaMont Jones <lamont@debian.org>
.
(Tue, 15 Dec 2015 20:42:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: bind9
Version: 1:9.7.3.dfsg-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for bind9.
CVE-2015-8000[0]:
Responses with a malformed class attribute can trigger an assertion failure in db.c
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-8000
[1] https://kb.isc.org/article/AA-01317
Regards,
Salvatore
Marked as fixed in versions bind9/1:9.8.4.dfsg.P1-6+nmu2+deb7u8.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 15 Dec 2015 20:51:08 GMT) (full text, mbox, link).
Marked as fixed in versions bind9/1:9.9.5.dfsg-9+deb8u4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 15 Dec 2015 20:51:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#808081
; Package src:bind9
.
(Wed, 16 Dec 2015 15:15:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>
.
(Wed, 16 Dec 2015 15:15:08 GMT) (full text, mbox, link).
Message #14 received at 808081@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Attached is proposed debdiff for the unstable upload (not yet uploaded
to any delayed queue, just want to check I do not interfere with your
work on it already).
Regards,
Salvatore
[bind9_9.9.5.dfsg-12.1.debdiff (text/plain, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 16 Dec 2015 15:15:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#808081
; Package src:bind9
.
(Wed, 16 Dec 2015 20:24:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>
:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>
.
(Wed, 16 Dec 2015 20:24:11 GMT) (full text, mbox, link).
Message #21 received at 808081@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello dear maintainer(s),
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of bind9:
https://security-tracker.debian.org/tracker/CVE-2015-8000
This issue has already been fixed in other stable releases
and I'm attaching the debdiff of the wheezy version as basis
to backport it to the squeeze version (it applies without conflicts).
Would you like to take care of this yourself?
If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development
If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.
If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.
Thank you very much.
Raphaël Hertzog,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
[patch (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#808081
; Package src:bind9
.
(Wed, 16 Dec 2015 22:57:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>
:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>
.
(Wed, 16 Dec 2015 22:57:08 GMT) (full text, mbox, link).
Message #26 received at 808081@bugs.debian.org (full text, mbox, reply):
On Wed, Dec 16, 2015 at 3:22 PM, Raphael Hertzog wrote:
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of bind9:
> https://security-tracker.debian.org/tracker/CVE-2015-8000
As mentioned before, please go ahead with bind LTS updates without delay.
Best wishes,
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#808081
; Package src:bind9
.
(Thu, 17 Dec 2015 02:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>
:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>
.
(Thu, 17 Dec 2015 02:27:04 GMT) (full text, mbox, link).
Message #31 received at 808081@bugs.debian.org (full text, mbox, reply):
On Wed, Dec 16, 2015 at 10:11 AM, Salvatore Bonaccorso wrote:
> Hi,
>
> Attached is proposed debdiff for the unstable upload (not yet uploaded
> to any delayed queue, just want to check I do not interfere with your
> work on it already).
You can do the nmu. I don't have time right now.
Best wishes,
Mike
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Thu, 17 Dec 2015 05:27:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Thu, 17 Dec 2015 05:27:04 GMT) (full text, mbox, link).
Message #36 received at 808081-close@bugs.debian.org (full text, mbox, reply):
Source: bind9
Source-Version: 1:9.9.5.dfsg-12.1
We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 808081@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated bind9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 16 Dec 2015 15:01:39 +0100
Source: bind9
Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-90 libdns100 libisc95 liblwres90 libisccc90 libisccfg90 dnsutils lwresd libbind-export-dev libdns-export100 libdns-export100-udeb libisc-export95 libisc-export95-udeb libisccfg-export90 libisccfg-export90-udeb libirs-export91 libirs-export91-udeb
Architecture: source
Version: 1:9.9.5.dfsg-12.1
Distribution: unstable
Urgency: high
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 808081
Description:
bind9 - Internet Domain Name Server
bind9-doc - Documentation for BIND
bind9-host - Version of 'host' bundled with BIND 9.X
bind9utils - Utilities for BIND
dnsutils - Clients provided with BIND
host - Transitional package
libbind-dev - Static Libraries and Headers used by BIND
libbind-export-dev - Development files for the exported BIND libraries
libbind9-90 - BIND9 Shared Library used by BIND
libdns-export100 - Exported DNS Shared Library
libdns-export100-udeb - Exported DNS library for debian-installer (udeb)
libdns100 - DNS Shared Library used by BIND
libirs-export91 - Exported IRS Shared Library
libirs-export91-udeb - Exported IRS library for debian-installer (udeb)
libisc-export95 - Exported ISC Shared Library
libisc-export95-udeb - Exported ISC library for debian-installer (udeb)
libisc95 - ISC Shared Library used by BIND
libisccc90 - Command Channel Library used by BIND
libisccfg-export90 - Exported ISC CFG Shared Library
libisccfg-export90-udeb - Exported ISC CFG library for debian-installer (udeb)
libisccfg90 - Config File Handling Library used by BIND
liblwres90 - Lightweight Resolver Library used by BIND
lwresd - Lightweight Resolver Daemon
Changes:
bind9 (1:9.9.5.dfsg-12.1) unstable; urgency=high
.
* Non-maintainer upload.
* Add patch to fix CVE-2015-8000.
CVE-2015-8000: Insufficient testing when parsing a message allowed
records with an incorrect class to be accepted, triggering a REQUIRE
failure when those records were subsequently cached. (Closes: #808081)
Checksums-Sha1:
6b4d55f0d3731a2d05b0726a7474e91286202410 3431 bind9_9.9.5.dfsg-12.1.dsc
c2274b3e800e5dfd397aa3500515c987bdf9e744 112989 bind9_9.9.5.dfsg-12.1.diff.gz
Checksums-Sha256:
05d6eb748625c6c7840b69a7b836d9ede860a9b256a0d1e7b257f41347afd789 3431 bind9_9.9.5.dfsg-12.1.dsc
82121a405f40a300f5048e1e3f7f2c8b4595c3dca4ac515663a7a632f6d4d4c4 112989 bind9_9.9.5.dfsg-12.1.diff.gz
Files:
3b7a047b4b3af715c92172e2a199d528 3431 net optional bind9_9.9.5.dfsg-12.1.dsc
9ec11bad616f55198dfcd999b75624a9 112989 net optional bind9_9.9.5.dfsg-12.1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWcjbpAAoJEAVMuPMTQ89EYJQQAIXWIztrhjMzcLbmy3EcSG2V
DeyZz/wRDucDCqqza59javS4SjTVPd84bcNLeel8KKhUdqdmTfSYCAN29TkxUw/I
pe1hTTeIydxJzJIZglRpTZZ7bzElnCenklH42Nz11IpiIscWVCKaS5+/QbjMcU0d
tXEUuCoGkfuEnD4tyNJ1435J50igsyhmpZ3bIbzTPvWZ7ipcsUZr0Lp1kA9ISSkm
y3vSdGRcNP1h7ahXu93Am+lqanwYc0mCZjUD23q+JQ3yNXhDTE6fiOhxoRfoyeyd
BVqFXpwc/rVEfWhKVxHW2D0Km/7YLNM8welgKhSrIX5SmnoH4hQDBPN8gnNNis1j
XRgEiH/0z3w+9xbsTarJfeQNnTOVU9P84pg3w3/GgUhyJDkCvOoaix/Q35LOrWPX
6u0t99et8kbxVMcXn5qfKAphbt2dOLClf/1uxfJ86sgYdCrEkq5MqesA3sOWjTU4
soT1j6daRXF3uyP9ZkPAJx4OGUjSf4ABIk0bQMAZmpfotrzp7S1OaQ/ZXAf/s0hK
N62KcWnTps1NrcyAsT+koUIOub2GASA2wv8ChqfMh/AVBKJ5e2BfnWs8HSB1yRoA
f6V2kBk32qbRBhp/hX4Gkk5KdJx2s6evBIh/Vr73PuLoDWXLWmsPNqS/2F48ckU3
zBPhnIQsH5iPU1Qy1zU/
=oSzV
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 24 Jan 2016 07:36:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:47:44 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.