bind9: CVE-2017-3142 CVE-2017-3143

Debian Bug report logs - #866564
bind9: CVE-2017-3142 CVE-2017-3143

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: bind9: CVE-2017-3142 CVE-2017-3143

Date: Fri, 30 Jun 2017 06:18:57 +0200

Source: bind9
Version: 1:9.9.5.dfsg-9
Severity: grave
Tags: patch security upstream

Hi,

the following vulnerabilities were published for bind9.

CVE-2017-3142[0]:
|An error in TSIG authentication can permit unauthorized zone transfers

CVE-2017-3143[1]:
|An error in TSIG authentication can permit unauthorized dynamic
|updates

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-3142
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3142
[1] https://security-tracker.debian.org/tracker/CVE-2017-3143
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3143
[2] https://kb.isc.org/article/AA-01504
[3] https://kb.isc.org/article/AA-01503

Regards,
Salvatore

Message #16 received at 866564@bugs.debian.org (full text, mbox, reply):

From: rogeriobastos@pop-ba.rnp.br

To: 866564@bugs.debian.org

Subject: bind9: CVE-2017-3142 CVE-2017-3143

Date: Fri, 7 Jul 2017 09:42:05 -0300 (BRT)

Hi,

This bug is marked as fixed in versions bind9/1:9.9.5.dfsg-9+deb8u12, bind9/1:9.10.3.dfsg.P4-12.3+deb9u1 but they are not available in security repository.
Is there anything holding it ?

-- 
Rogerio Bastos
PoP-BA/RNP

Message #21 received at 866564@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: rogeriobastos@pop-ba.rnp.br, 866564@bugs.debian.org

Subject: Re: Bug#866564: bind9: CVE-2017-3142 CVE-2017-3143

Date: Fri, 7 Jul 2017 19:15:14 +0200

Hi

On Fri, Jul 07, 2017 at 09:42:05AM -0300, rogeriobastos@pop-ba.rnp.br wrote:
> Hi,
> 
> This bug is marked as fixed in versions bind9/1:9.9.5.dfsg-9+deb8u12, bind9/1:9.10.3.dfsg.P4-12.3+deb9u1 but they are not available in security repository.
> Is there anything holding it ?

The reason is, the update was prepared and uploaded to be released,
but did not contain the bug closer. So I did that manually. Due to
some technical reasons on the archive side we could not yet release
the fixed packages, but that should happen soonish now.

Apologies for the delay,

Regards,
Salvatore

Message #26 received at 866564@bugs.debian.org (full text, mbox, reply):

From: rogeriobastos@pop-ba.rnp.br

To: 866564 <866564@bugs.debian.org>

Subject: Re: Bug#866564: bind9: CVE-2017-3142 CVE-2017-3143

Date: Fri, 7 Jul 2017 14:22:55 -0300 (BRT)

We thank you for the great job!

-- 
Rogerio Bastos
PoP-BA/RNP

Message #31 received at 866564@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 866564@bugs.debian.org

Subject: bind9: diff for NMU version 1:9.10.3.dfsg.P4-12.4

Date: Sun, 16 Jul 2017 22:24:54 +0200

[Message part 1 (text/plain, inline)]

Dear maintainer,

I've prepared an NMU for bind9 (versioned as 1:9.10.3.dfsg.P4-12.4) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[bind9-9.10.3.dfsg.P4-12.4-nmu.diff (text/x-diff, attachment)]

Message #36 received at 866564-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 866564-close@bugs.debian.org

Subject: Bug#866564: fixed in bind9 1:9.10.3.dfsg.P4-12.4

Date: Tue, 18 Jul 2017 20:54:26 +0000

Source: bind9
Source-Version: 1:9.10.3.dfsg.P4-12.4

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 866564@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 16 Jul 2017 22:13:21 +0200
Source: bind9
Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-140 libdns162 libirs141 libisc160 liblwres141 libisccc140 libisccfg140 dnsutils lwresd libbind-export-dev libdns-export162 libdns-export162-udeb libisc-export160 libisc-export160-udeb libisccfg-export140 libisccc-export140 libisccc-export140-udeb libisccfg-export140-udeb libirs-export141 libirs-export141-udeb
Architecture: source
Version: 1:9.10.3.dfsg.P4-12.4
Distribution: unstable
Urgency: high
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 866564
Description: 
 bind9      - Internet Domain Name Server
 bind9-doc  - Documentation for BIND
 bind9-host - Version of 'host' bundled with BIND 9.X
 bind9utils - Utilities for BIND
 dnsutils   - Clients provided with BIND
 host       - Transitional package
 libbind-dev - Static Libraries and Headers used by BIND
 libbind-export-dev - Development files for the exported BIND libraries
 libbind9-140 - BIND9 Shared Library used by BIND
 libdns-export162 - Exported DNS Shared Library
 libdns-export162-udeb - Exported DNS library for debian-installer (udeb)
 libdns162  - DNS Shared Library used by BIND
 libirs-export141 - Exported IRS Shared Library
 libirs-export141-udeb - Exported IRS library for debian-installer (udeb)
 libirs141  - DNS Shared Library used by BIND
 libisc-export160 - Exported ISC Shared Library
 libisc-export160-udeb - Exported ISC library for debian-installer (udeb)
 libisc160  - ISC Shared Library used by BIND
 libisccc-export140 - Command Channel Library used by BIND
 libisccc-export140-udeb - Command Channel Library used by BIND (udeb)
 libisccc140 - Command Channel Library used by BIND
 libisccfg-export140 - Exported ISC CFG Shared Library
 libisccfg-export140-udeb - Exported ISC CFG library for debian-installer (udeb)
 libisccfg140 - Config File Handling Library used by BIND
 liblwres141 - Lightweight Resolver Library used by BIND
 lwresd     - Lightweight Resolver Daemon
Changes:
 bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
 .
   * Non-maintainer upload.
 .
   [ Yves-Alexis Perez ]
   * debian/patches:
     - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
       CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
       transfers. An attacker may be able to circumvent TSIG authentication of
       AXFR and Notify requests.
       CVE-2017-3143: error in TSIG authentication can permit unauthorized
       dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
       signature for a dynamic update.
       (Closes: #866564)
Checksums-Sha1: 
 b307ca41fc3a79ef49b2ffc78420875d1448d59e 3913 bind9_9.10.3.dfsg.P4-12.4.dsc
 d5da197c8b74f60448716a1c36ba76f76a9a3342 84064 bind9_9.10.3.dfsg.P4-12.4.debian.tar.xz
Checksums-Sha256: 
 4f2c438af02d43f7fd216a27ec5f8d779c0b1189f5c1ab0397fc2ff653994619 3913 bind9_9.10.3.dfsg.P4-12.4.dsc
 24569a34d16abc1887f7976f3c30ace2fdb4564c2c4dcf732a6e49fb63000034 84064 bind9_9.10.3.dfsg.P4-12.4.debian.tar.xz
Files: 
 06b71e22ef4a01b4bddfadfbf38ce59c 3913 net optional bind9_9.10.3.dfsg.P4-12.4.dsc
 072c7a2722492ca1ad2a5a1eefe23623 84064 net optional bind9_9.10.3.dfsg.P4-12.4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllryxlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EErkQAJ5afnQzFfnmJaNa0nlMT7s7b8c/5e/1
6q/Bm/TPs9rqG5kDOEWePcYrjVvuqfFgOlP8pDXot8CeM9zmUUFgBPdA8Ib31X/7
ik/JYho5zsM9fsnjy1w6+5tg9tG01gKVaWPku08NzNqEhpLBnmknnWBHjxkc36XI
mmvgRaYblr7nUhdnF+rlASTQh6qzCzTksEfalg74MGvJieyJVb7H7YEgwOXQOQ7E
2pJbWeFMkcjRJQHjGDy0Suwcwlz0CXmMxxJH8JMEKF7uY85bdsx20GzJcaF+J8iM
7GamwDq+0n+UGemuDwR20t20QATUW9SZmk7uqPP4sEgGcI2YOtsfFix++uAqY0Bm
EJPTFXGIpleUsdMyMUTBkfafRz72DX1heJW/WVikJHV/+G/j8jYp1aIOBHT41E1+
rLmCkaQsbwT4dtlbiuNYFkzFmW1EAN73qNHs5aAabWi0unJ3oJykYSxVPrjQ4WxB
h9DGSIpS1HhBi1tAA8xaz6jc4Fpel6uzNGczpVkbTvLkZ6WGen48Pt831V+upMqI
AIE0x99xw/4n/D2jK6XYGxyiSwWtgFMOUjXvL65Szp+JYGSrHvB6KR8RFlmpIb+7
D39etNr/kGou9zAJl/ovNJppn24eAawiH0ZIDKuyIb+H/Q0lC4+foLzzFtMFaHXE
83EqPM1ISVcG
=tBPW
-----END PGP SIGNATURE-----

Message #41 received at 866564@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>

To: 866564@bugs.debian.org

Subject: Re: bind9: CVE-2017-3142 CVE-2017-3143

Date: Mon, 23 Oct 2017 13:12:13 +0200

[Message part 1 (text/plain, inline)]

Control: fixed -1 1:9.10.6+dfsg-1

Fixed upstream

	--- 9.10.6b1 released ---

4643.	[security]	An error in TSIG handling could permit
unauthorized
			zone transfers or zone updates. (CVE-2017-3142)
			(CVE-2017-3143) [RT #45383]

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.