Debian Bug report logs -
#922955
bind9: CVE-2019-6465: Zone transfer controls for writable DLZ zones were not effective
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 22 Feb 2019 10:06:02 UTC
Severity: grave
Tags: security, upstream
Found in versions bind9/1:9.11.5.P1+dfsg-2, bind9/1:9.10.3.dfsg.P4-12.3, bind9/1:9.10.3.dfsg.P4-12.3+deb9u4
Fixed in versions bind9/1:9.11.5.P4+dfsg-1, bind9/1:9.10.3.dfsg.P4-12.3+deb9u5
Done: Bernhard Schmidt <berni@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian DNS Team <team+dns@tracker.debian.org>:
Bug#922955; Package src:bind9.
(Fri, 22 Feb 2019 10:06:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian DNS Team <team+dns@tracker.debian.org>.
(Fri, 22 Feb 2019 10:06:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: bind9
Version: 1:9.11.5.P1+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 1:9.10.3.dfsg.P4-12.3+deb9u4
Control: found -1 1:9.10.3.dfsg.P4-12.3
Hi,
The following vulnerability was published for bind9.
CVE-2019-6465[0]:
Zone transfer controls for writable DLZ zones were not effective
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-6465
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6465
[1] https://kb.isc.org/docs/cve-2019-6465
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions bind9/1:9.10.3.dfsg.P4-12.3+deb9u4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 22 Feb 2019 10:06:04 GMT) (full text, mbox, link).
Marked as found in versions bind9/1:9.10.3.dfsg.P4-12.3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 22 Feb 2019 10:06:05 GMT) (full text, mbox, link).
Marked as fixed in versions bind9/1:9.11.5.P4+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 22 Feb 2019 18:18:04 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 22 Feb 2019 18:18:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 22 Feb 2019 18:18:05 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#922955.
(Fri, 22 Feb 2019 18:18:17 GMT) (full text, mbox, link).
Message #18 received at 922955-submitter@bugs.debian.org (full text, mbox, reply):
close 922955 1:9.11.5.P4+dfsg-1
close 922954 1:9.11.5.P4+dfsg-1
close 922953 1:9.11.5.P4+dfsg-1
thanks
Close bugs accordingly as the fixes landed in the 1:9.11.5.P4+dfsg-1 version.
Reply sent
to Bernhard Schmidt <berni@debian.org>:
You have taken responsibility.
(Mon, 13 May 2019 21:18:21 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 13 May 2019 21:18:21 GMT) (full text, mbox, link).
Message #23 received at 922955-close@bugs.debian.org (full text, mbox, reply):
Source: bind9
Source-Version: 1:9.10.3.dfsg.P4-12.3+deb9u5
We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 922955@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <berni@debian.org> (supplier of updated bind9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 03 May 2019 22:34:35 +0200
Source: bind9
Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-140 libdns162 libirs141 libisc160 liblwres141 libisccc140 libisccfg140 dnsutils lwresd libbind-export-dev libdns-export162 libdns-export162-udeb libisc-export160 libisc-export160-udeb libisccfg-export140 libisccc-export140 libisccc-export140-udeb libisccfg-export140-udeb libirs-export141 libirs-export141-udeb
Architecture: source
Version: 1:9.10.3.dfsg.P4-12.3+deb9u5
Distribution: stretch-security
Urgency: high
Maintainer: Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
Changed-By: Bernhard Schmidt <berni@debian.org>
Description:
bind9 - Internet Domain Name Server
bind9-doc - Documentation for BIND
bind9-host - Version of 'host' bundled with BIND 9.X
bind9utils - Utilities for BIND
dnsutils - Clients provided with BIND
host - Transitional package
libbind-dev - Static Libraries and Headers used by BIND
libbind-export-dev - Development files for the exported BIND libraries
libbind9-140 - BIND9 Shared Library used by BIND
libdns-export162 - Exported DNS Shared Library
libdns-export162-udeb - Exported DNS library for debian-installer (udeb)
libdns162 - DNS Shared Library used by BIND
libirs-export141 - Exported IRS Shared Library
libirs-export141-udeb - Exported IRS library for debian-installer (udeb)
libirs141 - DNS Shared Library used by BIND
libisc-export160 - Exported ISC Shared Library
libisc-export160-udeb - Exported ISC library for debian-installer (udeb)
libisc160 - ISC Shared Library used by BIND
libisccc-export140 - Command Channel Library used by BIND
libisccc-export140-udeb - Command Channel Library used by BIND (udeb)
libisccc140 - Command Channel Library used by BIND
libisccfg-export140 - Exported ISC CFG Shared Library
libisccfg-export140-udeb - Exported ISC CFG library for debian-installer (udeb)
libisccfg140 - Config File Handling Library used by BIND
liblwres141 - Lightweight Resolver Library used by BIND
lwresd - Lightweight Resolver Daemon
Closes: 922954 922955 927932
Changes:
bind9 (1:9.10.3.dfsg.P4-12.3+deb9u5) stretch-security; urgency=high
.
[ Marc Deslauriers (Ubuntu) ]
* CVE-2018-5743: limiting simultaneous TCP clients is ineffective.
Thanks to Marc Deslauriers of Ubuntu (Closes: #927932)
.
[ Ondřej Surý ]
* Sync Maintainer and Uploaders with unstable
* [CVE-2019-6465]: Zone transfer for DLZs are executed though not
permitted by ACLs. (Closes: #922955)
* [CVE-2018-5745]: Avoid assertion and thus causing named to
deliberately exit when a trust anchor's key is replaced with a key
which uses an unsupported algorithm. (Closes: #922954)
Checksums-Sha1:
6860272e873dc1832c650fd4297a10e07d8a79f7 3908 bind9_9.10.3.dfsg.P4-12.3+deb9u5.dsc
4e729f86198c8724c58a2e0dc695cc8be96f2a8a 98420 bind9_9.10.3.dfsg.P4-12.3+deb9u5.debian.tar.xz
505a434d946ea958238008ce240871e1eb1e9513 21618 bind9_9.10.3.dfsg.P4-12.3+deb9u5_amd64.buildinfo
Checksums-Sha256:
86ab6f642822821b115319f489a9b64d0b7b2b924a176677b536d5a373a1ec92 3908 bind9_9.10.3.dfsg.P4-12.3+deb9u5.dsc
0cb2d69f869c45b0ad65253dfce0ec1d850dc70a49eb14169d91b3a06fbb9047 98420 bind9_9.10.3.dfsg.P4-12.3+deb9u5.debian.tar.xz
bb104617c40823b776a4ac366eb78e295b11c5f83231602cbc6ad188ca411813 21618 bind9_9.10.3.dfsg.P4-12.3+deb9u5_amd64.buildinfo
Files:
65559b9d5844fc65327fe313b0e408dd 3908 net optional bind9_9.10.3.dfsg.P4-12.3+deb9u5.dsc
ffa19a3fdd7bda1215cf1dadb3adc4c3 98420 net optional bind9_9.10.3.dfsg.P4-12.3+deb9u5.debian.tar.xz
0d2a4d0a411005cc2291ac82c4ea5aef 21618 net optional bind9_9.10.3.dfsg.P4-12.3+deb9u5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlzN8lsRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJMJrRAAgWzqfvqdAPWpi/aOL9y79BZRECTKMzn7
OoXDuBju8AbMO92Fs1hWbnTZeWJLxFp1Ht63WG9bmk7lkYzdWvB9OZvlmFmlOY6I
5gNNeSkT+0meW07in6KDZ+StXFrz0LwWDhYFKLKE187AzSK2Rr3ZIo43hFwI1Mif
KXPB4Oun/y1kC+LUJrPZiHfJSoYkBwFiwN+EKgk7JrFgl+1z1wANaeaJooAdUalF
5ICmd/P6X5zrfuMsmcqhCEJWg/zT9f15x+/cYCep+FBhWcFDqPUXlnl9r8USTb1J
d40FSf7Mr6OrCLBaaNBSff1GeIdh7+dBGRlW/Wtw6B6vPqBgT0+QKfY4kmXrjC74
Ryp4J5TvT8TO7F8ejkKVMIsH/OGhJqbJc4/4gmVH438e1Z2cJEn6ywDJN7Z8nhpk
lIRmrVlxj2j6pgxwnThCwxpnJAjuQc5ycbMiMbHSC6Y7vt3D0gqQElsWA8hHYcGc
gyvGeo9i0r1PIJq8U/65YcXgppxUH4L7C+u2Bn0fdQLSNjd+ndupbaQ5u9odqIKu
TxNKaBN+plryrbusLnniXERz0fNx0u4LqdjG8d9T8EkbF3oh4WKs+RAs7wQhcQaZ
7t+5ndumaLgx+/d6xfBERxmnvIc8dLdX49KNY56hbpdlHfYVR0CXUNyq1Vu3BvxO
8obm3n79Ix4=
=LFoK
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:52:09 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon