Debian Bug report logs -
#901483
bind9: CVE-2018-5738: improperly permits recursive query service to unauthorized clients
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 13 Jun 2018 21:03:01 UTC
Severity: grave
Tags: security, upstream
Found in version bind9/1:9.11.3+dfsg-1
Fixed in version bind9/1:9.11.3+dfsg-2
Done: Ondřej Surý <ondrej@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>:
Bug#901483; Package src:bind9.
(Wed, 13 Jun 2018 21:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>.
(Wed, 13 Jun 2018 21:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: bind9
Version: 1:9.11.3+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for bind9, affecting the
version present in unstable (older suites do not include the upstream
change #4777).
CVE-2018-5738[0]:
|Some versions of BIND can improperly permit recursive query service to
|unauthorized clients
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-5738
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5738
[1] https://kb.isc.org/article/AA-01616/0/CVE-2018-5738
Regards,
Salvatore
Reply sent
to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility.
(Thu, 14 Jun 2018 14:57:29 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 14 Jun 2018 14:57:29 GMT) (full text, mbox, link).
Message #10 received at 901483-close@bugs.debian.org (full text, mbox, reply):
Source: bind9
Source-Version: 1:9.11.3+dfsg-2
We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 901483@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated bind9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 Jun 2018 13:01:47 +0000
Source: bind9
Binary: bind9 bind9utils bind9-doc bind9-host libbind-dev libbind9-160 libdns1100 libirs160 libisc169 liblwres160 libisccc160 libisccfg160 dnsutils libbind-export-dev libdns-export1100 libdns-export1100-udeb libirs-export160 libirs-export160-udeb libisc-export169 libisc-export169-udeb libisccc-export160 libisccc-export160-udeb libisccfg-export160 libisccfg-export160-udeb
Architecture: source
Version: 1:9.11.3+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: BIND 9 Package <bind9@package.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description:
bind9 - Internet Domain Name Server
bind9-doc - Documentation for BIND
bind9-host - DNS lookup utility (deprecated)
bind9utils - Utilities for BIND
dnsutils - Clients provided with BIND
libbind-dev - Static Libraries and Headers used by BIND
libbind-export-dev - Development files for the exported BIND libraries
libbind9-160 - BIND9 Shared Library used by BIND
libdns-export1100 - Exported DNS Shared Library
libdns-export1100-udeb - Exported DNS library for debian-installer (udeb)
libdns1100 - DNS Shared Library used by BIND
libirs-export160 - Exported IRS Shared Library
libirs-export160-udeb - Exported IRS library for debian-installer (udeb)
libirs160 - DNS Shared Library used by BIND
libisc-export169 - Exported ISC Shared Library
libisc-export169-udeb - Exported ISC library for debian-installer (udeb)
libisc169 - ISC Shared Library used by BIND
libisccc-export160 - Command Channel Library used by BIND
libisccc-export160-udeb - Command Channel Library used by BIND (udeb)
libisccc160 - Command Channel Library used by BIND
libisccfg-export160 - Exported ISC CFG Shared Library
libisccfg-export160-udeb - Exported ISC CFG library for debian-installer (udeb)
libisccfg160 - Config File Handling Library used by BIND
liblwres160 - Lightweight Resolver Library used by BIND
Closes: 899959 901483
Changes:
bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
.
* [CVE-2018-5738]: Add upstream fix to close the default open recursion
(Closes: #901483)
* Change the maintainer address (Closes: #899959)
Checksums-Sha1:
47625ba3ef08c3b0e38a7d51945ade02569f67d8 3933 bind9_9.11.3+dfsg-2.dsc
1d9dbeab8b74bb5c45d81a73bb7bae313bfd9580 82192 bind9_9.11.3+dfsg-2.debian.tar.xz
1ec75d21d36d37d64de0dd5cae3fdc10a3cdf86e 19444 bind9_9.11.3+dfsg-2_amd64.buildinfo
Checksums-Sha256:
4fdeb2fa8b7f960936d6a997cb566230fbe218fa3b7979567bb3357df90bb2bc 3933 bind9_9.11.3+dfsg-2.dsc
d1c471b2d51766c3accd54bd951746f778f33b70748d590a0aa9920dec8184fe 82192 bind9_9.11.3+dfsg-2.debian.tar.xz
fb120f39b62af6b6e22802c098086d88cf2508f853b3145f910e4136241881e0 19444 bind9_9.11.3+dfsg-2_amd64.buildinfo
Files:
104e420713661d35b798057a231f478f 3933 net optional bind9_9.11.3+dfsg-2.dsc
f46df22f096e886088649c29a7f11bc2 82192 net optional bind9_9.11.3+dfsg-2.debian.tar.xz
3668337f1ba4272c1b778610134ba575 19444 net optional bind9_9.11.3+dfsg-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAlsichtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz
NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u
WcJJSA/9FGXVLymzQf9fKyGbS64dEzWGBB442rH9cJiSw3zzqS7BPro5MqbBOowf
dJlu2IhyjWXBa2w+ejQPU/lLKFtgMV8aJka46f92rtW1jJOCDCmTwOCBvErbzmNF
Yfeo8LZqDDqPJd64s+wS6iEEjpT8rqMnCkMSqvYWjcFfa3dWLzLRaisyf+HOTO4A
7dc4yOWUVWmSzoPMJmS4wik2m0VPu2R6txzr8EMu5+0o9/TOHuJa65gJLw5bBxGH
S/JlURdx6VVXQRHkU11K6HC469Gm+h+kn97z/qPq+Els8O8vWkgYehP78b2tDwwu
D7DL6Xy17tYFGSInwUAyIrF2uD23e7aWnrkXxgNuVOYVcKVoV5CBAjvPApJyiqnj
7+gfK5EWRi6nvl8cbOGEPQFpMyHFC4N4Rt/NUEOCBWeEBfzArllbWeo+umYS/l8/
h45dPkUiyhCHKFEqv8PeReAJva6HHmOMhGq6Ot7PIj47s6sI5osCxDI++vCmrlqg
k2Njl5HYUn38030PLnaJpfiJ669Vcm/6Gp3INQkIPibijRXK28fK02LydbuXU2Qy
Q04X13nadv6rWXWax7dDbMIS6jq2s5B7srgTtDSjwcjasPoFRcEAJF+wMdrLT5Xo
nbztUL8fxZeBHh8HUme+OPS41m9UIMn8QV8o6+7iUcwZ8ZJK0OM=
=9bD7
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 13 Jul 2018 07:27:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:23:16 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon