bind9: CVE-2015-8000: Responses with a malformed class attribute can trigger an assertion failure in db.c

Debian Bug report logs - #808081
bind9: CVE-2015-8000: Responses with a malformed class attribute can trigger an assertion failure in db.c

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: bind9: CVE-2015-8000: Responses with a malformed class attribute can trigger an assertion failure in db.c

Date: Tue, 15 Dec 2015 21:39:14 +0100

Source: bind9
Version: 1:9.7.3.dfsg-1
Severity: grave
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for bind9.

CVE-2015-8000[0]:
Responses with a malformed class attribute can trigger an assertion failure in db.c

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-8000
[1] https://kb.isc.org/article/AA-01317

Regards,
Salvatore

Message #14 received at 808081@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 808081@bugs.debian.org

Subject: Re: Bug#808081: bind9: CVE-2015-8000: Responses with a malformed class attribute can trigger an assertion failure in db.c

Date: Wed, 16 Dec 2015 16:11:00 +0100

[Message part 1 (text/plain, inline)]

Hi,

Attached is proposed debdiff for the unstable upload (not yet uploaded
to any delayed queue, just want to check I do not interfere with your
work on it already).

Regards,
Salvatore

[bind9_9.9.5.dfsg-12.1.debdiff (text/plain, attachment)]

Message #21 received at 808081@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: LaMont Jones <lamont@debian.org>, mgilbert@debian.org

Cc: debian-lts@lists.debian.org, 808081@bugs.debian.org

Subject: squeeze update of bind9?

Date: Wed, 16 Dec 2015 21:22:35 +0100

[Message part 1 (text/plain, inline)]

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of bind9:
https://security-tracker.debian.org/tracker/CVE-2015-8000

This issue has already been fixed in other stable releases
and I'm attaching the debdiff of the wheezy version as basis
to backport it to the squeeze version (it applies without conflicts).

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

[patch (text/plain, attachment)]

Message #26 received at 808081@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Raphael Hertzog <hertzog@debian.org>, 808081@bugs.debian.org, debian-lts@lists.debian.org

Subject: Re: Bug#808081: squeeze update of bind9?

Date: Wed, 16 Dec 2015 17:52:40 -0500

On Wed, Dec 16, 2015 at 3:22 PM, Raphael Hertzog wrote:
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of bind9:
> https://security-tracker.debian.org/tracker/CVE-2015-8000

As mentioned before, please go ahead with bind LTS updates without delay.

Best wishes,
Mike

Message #31 received at 808081@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 808081@bugs.debian.org

Subject: Re: Bug#808081: bind9: CVE-2015-8000: Responses with a malformed class attribute can trigger an assertion failure in db.c

Date: Wed, 16 Dec 2015 21:23:54 -0500

On Wed, Dec 16, 2015 at 10:11 AM, Salvatore Bonaccorso wrote:
> Hi,
>
> Attached is proposed debdiff for the unstable upload (not yet uploaded
> to any delayed queue, just want to check I do not interfere with your
> work on it already).

You can do the nmu.  I don't have time right now.

Best wishes,
Mike

Message #36 received at 808081-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 808081-close@bugs.debian.org

Subject: Bug#808081: fixed in bind9 1:9.9.5.dfsg-12.1

Date: Thu, 17 Dec 2015 05:24:48 +0000

Source: bind9
Source-Version: 1:9.9.5.dfsg-12.1

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 808081@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 16 Dec 2015 15:01:39 +0100
Source: bind9
Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-90 libdns100 libisc95 liblwres90 libisccc90 libisccfg90 dnsutils lwresd libbind-export-dev libdns-export100 libdns-export100-udeb libisc-export95 libisc-export95-udeb libisccfg-export90 libisccfg-export90-udeb libirs-export91 libirs-export91-udeb
Architecture: source
Version: 1:9.9.5.dfsg-12.1
Distribution: unstable
Urgency: high
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 808081
Description: 
 bind9      - Internet Domain Name Server
 bind9-doc  - Documentation for BIND
 bind9-host - Version of 'host' bundled with BIND 9.X
 bind9utils - Utilities for BIND
 dnsutils   - Clients provided with BIND
 host       - Transitional package
 libbind-dev - Static Libraries and Headers used by BIND
 libbind-export-dev - Development files for the exported BIND libraries
 libbind9-90 - BIND9 Shared Library used by BIND
 libdns-export100 - Exported DNS Shared Library
 libdns-export100-udeb - Exported DNS library for debian-installer (udeb)
 libdns100  - DNS Shared Library used by BIND
 libirs-export91 - Exported IRS Shared Library
 libirs-export91-udeb - Exported IRS library for debian-installer (udeb)
 libisc-export95 - Exported ISC Shared Library
 libisc-export95-udeb - Exported ISC library for debian-installer (udeb)
 libisc95   - ISC Shared Library used by BIND
 libisccc90 - Command Channel Library used by BIND
 libisccfg-export90 - Exported ISC CFG Shared Library
 libisccfg-export90-udeb - Exported ISC CFG library for debian-installer (udeb)
 libisccfg90 - Config File Handling Library used by BIND
 liblwres90 - Lightweight Resolver Library used by BIND
 lwresd     - Lightweight Resolver Daemon
Changes:
 bind9 (1:9.9.5.dfsg-12.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Add patch to fix CVE-2015-8000.
     CVE-2015-8000: Insufficient testing when parsing a message allowed
     records with an incorrect class to be accepted, triggering a REQUIRE
     failure when those records were subsequently cached. (Closes: #808081)
Checksums-Sha1: 
 6b4d55f0d3731a2d05b0726a7474e91286202410 3431 bind9_9.9.5.dfsg-12.1.dsc
 c2274b3e800e5dfd397aa3500515c987bdf9e744 112989 bind9_9.9.5.dfsg-12.1.diff.gz
Checksums-Sha256: 
 05d6eb748625c6c7840b69a7b836d9ede860a9b256a0d1e7b257f41347afd789 3431 bind9_9.9.5.dfsg-12.1.dsc
 82121a405f40a300f5048e1e3f7f2c8b4595c3dca4ac515663a7a632f6d4d4c4 112989 bind9_9.9.5.dfsg-12.1.diff.gz
Files: 
 3b7a047b4b3af715c92172e2a199d528 3431 net optional bind9_9.9.5.dfsg-12.1.dsc
 9ec11bad616f55198dfcd999b75624a9 112989 net optional bind9_9.9.5.dfsg-12.1.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWcjbpAAoJEAVMuPMTQ89EYJQQAIXWIztrhjMzcLbmy3EcSG2V
DeyZz/wRDucDCqqza59javS4SjTVPd84bcNLeel8KKhUdqdmTfSYCAN29TkxUw/I
pe1hTTeIydxJzJIZglRpTZZ7bzElnCenklH42Nz11IpiIscWVCKaS5+/QbjMcU0d
tXEUuCoGkfuEnD4tyNJ1435J50igsyhmpZ3bIbzTPvWZ7ipcsUZr0Lp1kA9ISSkm
y3vSdGRcNP1h7ahXu93Am+lqanwYc0mCZjUD23q+JQ3yNXhDTE6fiOhxoRfoyeyd
BVqFXpwc/rVEfWhKVxHW2D0Km/7YLNM8welgKhSrIX5SmnoH4hQDBPN8gnNNis1j
XRgEiH/0z3w+9xbsTarJfeQNnTOVU9P84pg3w3/GgUhyJDkCvOoaix/Q35LOrWPX
6u0t99et8kbxVMcXn5qfKAphbt2dOLClf/1uxfJ86sgYdCrEkq5MqesA3sOWjTU4
soT1j6daRXF3uyP9ZkPAJx4OGUjSf4ABIk0bQMAZmpfotrzp7S1OaQ/ZXAf/s0hK
N62KcWnTps1NrcyAsT+koUIOub2GASA2wv8ChqfMh/AVBKJ5e2BfnWs8HSB1yRoA
f6V2kBk32qbRBhp/hX4Gkk5KdJx2s6evBIh/Vr73PuLoDWXLWmsPNqS/2F48ckU3
zBPhnIQsH5iPU1Qy1zU/
=oSzV
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.