Debian Bug report logs -
#866564
bind9: CVE-2017-3142 CVE-2017-3143
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 30 Jun 2017 04:21:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in version bind9/1:9.9.5.dfsg-9
Fixed in versions bind9/1:9.9.5.dfsg-9+deb8u12, bind9/1:9.10.6+dfsg-1, bind9/1:9.10.3.dfsg.P4-12.4, bind9/1:9.10.3.dfsg.P4-12.3+deb9u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#866564
; Package src:bind9
.
(Fri, 30 Jun 2017 04:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, LaMont Jones <lamont@debian.org>
.
(Fri, 30 Jun 2017 04:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: bind9
Version: 1:9.9.5.dfsg-9
Severity: grave
Tags: patch security upstream
Hi,
the following vulnerabilities were published for bind9.
CVE-2017-3142[0]:
|An error in TSIG authentication can permit unauthorized zone transfers
CVE-2017-3143[1]:
|An error in TSIG authentication can permit unauthorized dynamic
|updates
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-3142
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3142
[1] https://security-tracker.debian.org/tracker/CVE-2017-3143
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3143
[2] https://kb.isc.org/article/AA-01504
[3] https://kb.isc.org/article/AA-01503
Regards,
Salvatore
Marked as fixed in versions bind9/1:9.9.5.dfsg-9+deb8u12.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 30 Jun 2017 20:06:06 GMT) (full text, mbox, link).
Marked as fixed in versions bind9/1:9.10.3.dfsg.P4-12.3+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 30 Jun 2017 20:06:06 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 30 Jun 2017 20:06:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#866564
; Package src:bind9
.
(Fri, 07 Jul 2017 12:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to rogeriobastos@pop-ba.rnp.br
:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>
.
(Fri, 07 Jul 2017 12:54:04 GMT) (full text, mbox, link).
Message #16 received at 866564@bugs.debian.org (full text, mbox, reply):
Hi,
This bug is marked as fixed in versions bind9/1:9.9.5.dfsg-9+deb8u12, bind9/1:9.10.3.dfsg.P4-12.3+deb9u1 but they are not available in security repository.
Is there anything holding it ?
--
Rogerio Bastos
PoP-BA/RNP
Information forwarded
to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#866564
; Package src:bind9
.
(Fri, 07 Jul 2017 17:18:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>
.
(Fri, 07 Jul 2017 17:18:07 GMT) (full text, mbox, link).
Message #21 received at 866564@bugs.debian.org (full text, mbox, reply):
Hi
On Fri, Jul 07, 2017 at 09:42:05AM -0300, rogeriobastos@pop-ba.rnp.br wrote:
> Hi,
>
> This bug is marked as fixed in versions bind9/1:9.9.5.dfsg-9+deb8u12, bind9/1:9.10.3.dfsg.P4-12.3+deb9u1 but they are not available in security repository.
> Is there anything holding it ?
The reason is, the update was prepared and uploaded to be released,
but did not contain the bug closer. So I did that manually. Due to
some technical reasons on the archive side we could not yet release
the fixed packages, but that should happen soonish now.
Apologies for the delay,
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#866564
; Package src:bind9
.
(Fri, 07 Jul 2017 17:27:08 GMT) (full text, mbox, link).
Acknowledgement sent
to rogeriobastos@pop-ba.rnp.br
:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>
.
(Fri, 07 Jul 2017 17:27:08 GMT) (full text, mbox, link).
Message #26 received at 866564@bugs.debian.org (full text, mbox, reply):
We thank you for the great job!
--
Rogerio Bastos
PoP-BA/RNP
Information forwarded
to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>
:
Bug#866564
; Package src:bind9
.
(Sun, 16 Jul 2017 20:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>
.
(Sun, 16 Jul 2017 20:27:02 GMT) (full text, mbox, link).
Message #31 received at 866564@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear maintainer,
I've prepared an NMU for bind9 (versioned as 1:9.10.3.dfsg.P4-12.4) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[bind9-9.10.3.dfsg.P4-12.4-nmu.diff (text/x-diff, attachment)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Tue, 18 Jul 2017 20:57:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 18 Jul 2017 20:57:05 GMT) (full text, mbox, link).
Message #36 received at 866564-close@bugs.debian.org (full text, mbox, reply):
Source: bind9
Source-Version: 1:9.10.3.dfsg.P4-12.4
We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 866564@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated bind9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 16 Jul 2017 22:13:21 +0200
Source: bind9
Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-140 libdns162 libirs141 libisc160 liblwres141 libisccc140 libisccfg140 dnsutils lwresd libbind-export-dev libdns-export162 libdns-export162-udeb libisc-export160 libisc-export160-udeb libisccfg-export140 libisccc-export140 libisccc-export140-udeb libisccfg-export140-udeb libirs-export141 libirs-export141-udeb
Architecture: source
Version: 1:9.10.3.dfsg.P4-12.4
Distribution: unstable
Urgency: high
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 866564
Description:
bind9 - Internet Domain Name Server
bind9-doc - Documentation for BIND
bind9-host - Version of 'host' bundled with BIND 9.X
bind9utils - Utilities for BIND
dnsutils - Clients provided with BIND
host - Transitional package
libbind-dev - Static Libraries and Headers used by BIND
libbind-export-dev - Development files for the exported BIND libraries
libbind9-140 - BIND9 Shared Library used by BIND
libdns-export162 - Exported DNS Shared Library
libdns-export162-udeb - Exported DNS library for debian-installer (udeb)
libdns162 - DNS Shared Library used by BIND
libirs-export141 - Exported IRS Shared Library
libirs-export141-udeb - Exported IRS library for debian-installer (udeb)
libirs141 - DNS Shared Library used by BIND
libisc-export160 - Exported ISC Shared Library
libisc-export160-udeb - Exported ISC library for debian-installer (udeb)
libisc160 - ISC Shared Library used by BIND
libisccc-export140 - Command Channel Library used by BIND
libisccc-export140-udeb - Command Channel Library used by BIND (udeb)
libisccc140 - Command Channel Library used by BIND
libisccfg-export140 - Exported ISC CFG Shared Library
libisccfg-export140-udeb - Exported ISC CFG library for debian-installer (udeb)
libisccfg140 - Config File Handling Library used by BIND
liblwres141 - Lightweight Resolver Library used by BIND
lwresd - Lightweight Resolver Daemon
Changes:
bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
.
* Non-maintainer upload.
.
[ Yves-Alexis Perez ]
* debian/patches:
- debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
transfers. An attacker may be able to circumvent TSIG authentication of
AXFR and Notify requests.
CVE-2017-3143: error in TSIG authentication can permit unauthorized
dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
signature for a dynamic update.
(Closes: #866564)
Checksums-Sha1:
b307ca41fc3a79ef49b2ffc78420875d1448d59e 3913 bind9_9.10.3.dfsg.P4-12.4.dsc
d5da197c8b74f60448716a1c36ba76f76a9a3342 84064 bind9_9.10.3.dfsg.P4-12.4.debian.tar.xz
Checksums-Sha256:
4f2c438af02d43f7fd216a27ec5f8d779c0b1189f5c1ab0397fc2ff653994619 3913 bind9_9.10.3.dfsg.P4-12.4.dsc
24569a34d16abc1887f7976f3c30ace2fdb4564c2c4dcf732a6e49fb63000034 84064 bind9_9.10.3.dfsg.P4-12.4.debian.tar.xz
Files:
06b71e22ef4a01b4bddfadfbf38ce59c 3913 net optional bind9_9.10.3.dfsg.P4-12.4.dsc
072c7a2722492ca1ad2a5a1eefe23623 84064 net optional bind9_9.10.3.dfsg.P4-12.4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllryxlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EErkQAJ5afnQzFfnmJaNa0nlMT7s7b8c/5e/1
6q/Bm/TPs9rqG5kDOEWePcYrjVvuqfFgOlP8pDXot8CeM9zmUUFgBPdA8Ib31X/7
ik/JYho5zsM9fsnjy1w6+5tg9tG01gKVaWPku08NzNqEhpLBnmknnWBHjxkc36XI
mmvgRaYblr7nUhdnF+rlASTQh6qzCzTksEfalg74MGvJieyJVb7H7YEgwOXQOQ7E
2pJbWeFMkcjRJQHjGDy0Suwcwlz0CXmMxxJH8JMEKF7uY85bdsx20GzJcaF+J8iM
7GamwDq+0n+UGemuDwR20t20QATUW9SZmk7uqPP4sEgGcI2YOtsfFix++uAqY0Bm
EJPTFXGIpleUsdMyMUTBkfafRz72DX1heJW/WVikJHV/+G/j8jYp1aIOBHT41E1+
rLmCkaQsbwT4dtlbiuNYFkzFmW1EAN73qNHs5aAabWi0unJ3oJykYSxVPrjQ4WxB
h9DGSIpS1HhBi1tAA8xaz6jc4Fpel6uzNGczpVkbTvLkZ6WGen48Pt831V+upMqI
AIE0x99xw/4n/D2jK6XYGxyiSwWtgFMOUjXvL65Szp+JYGSrHvB6KR8RFlmpIb+7
D39etNr/kGou9zAJl/ovNJppn24eAawiH0ZIDKuyIb+H/Q0lC4+foLzzFtMFaHXE
83EqPM1ISVcG
=tBPW
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
:
Bug#866564
; Package src:bind9
.
(Mon, 23 Oct 2017 11:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Bernhard Schmidt <berni@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
.
(Mon, 23 Oct 2017 11:15:06 GMT) (full text, mbox, link).
Message #41 received at 866564@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: fixed -1 1:9.10.6+dfsg-1
Fixed upstream
--- 9.10.6b1 released ---
4643. [security] An error in TSIG handling could permit
unauthorized
zone transfers or zone updates. (CVE-2017-3142)
(CVE-2017-3143) [RT #45383]
[signature.asc (application/pgp-signature, inline)]
Marked as fixed in versions bind9/1:9.10.6+dfsg-1.
Request was from Bernhard Schmidt <berni@debian.org>
to 866564-submit@bugs.debian.org
.
(Mon, 23 Oct 2017 11:15:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 21 Nov 2017 07:28:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:17:55 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.