bind9: CVE-2010-3762

Debian Bug report logs - #599515
bind9: CVE-2010-3762

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: bind9: CVE-2010-3752

Date: Fri, 08 Oct 2010 12:30:03 +0200

Package: bind9
Severity: grave
Tags: security
Justification: user security hole

Two security issues have been reported in Bind:
http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html

   * If BIND, acting as a DNSSEC validating server, has two or more
     trust anchors configured in named.conf for the same zone (such as
     example.com) and the response for a record in that zone from the
     authoritative server includes a bad signature, the validating
     server will crash while trying to validate that query.
-> This is CVE-2010-3762

    * A flaw where the wrong ACL was applied was fixed. This flaw
      allowed access to a cache via recursion even though the ACL
      disallowed it.
-> No CVE ID is available so far, but this issue only affects 9.7.2,
so Squeeze/sid is not affected:
https://lists.isc.org/pipermail/bind-announce/2010-September/000655.html

Cheers,
        Moritz

-- System Information:
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Message #10 received at 599515-done@bugs.debian.org (full text, mbox, reply):

From: LaMont Jones <lamont@debian.org>

To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 599515-done@bugs.debian.org

Subject: Re: Bug#599515: bind9: CVE-2010-3752

Date: Fri, 8 Oct 2010 04:48:15 -0600

On Fri, Oct 08, 2010 at 12:30:03PM +0200, Moritz Muehlenhoff wrote:
> Package: bind9
> Severity: grave
> Tags: security
> Justification: user security hole
> Two security issues have been reported in Bind:
> http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html
> -> No CVE ID is available so far, but this issue only affects 9.7.2,
> so Squeeze/sid is not affected:

Nor will it affect Debian, since I won't be uploading the affected version.

lamont

Message #17 received at 599515@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <muehlenhoff@univention.de>

To: LaMont Jones <lamont@debian.org>

Cc: 599515@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#599515: bind9: CVE-2010-3752

Date: Fri, 8 Oct 2010 13:18:10 +0200

reopen 599515
thanks

Am Freitag 08 Oktober 2010 12:48:15 schrieb LaMont Jones:
> On Fri, Oct 08, 2010 at 12:30:03PM +0200, Moritz Muehlenhoff wrote:
> > Package: bind9
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > Two security issues have been reported in Bind:
> > http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html
> > -> No CVE ID is available so far, but this issue only affects 9.7.2,
> > so Squeeze/sid is not affected:
>
> Nor will it affect Debian, since I won't be uploading the affected version.

There are _two_ issues, one of which affects sid/squeeze; CVE-2010-3752.

Reopening.

Cheers,
Moritz
-- 
Moritz Mühlenhoff                                  muehlenhoff@univention.de   
Open Source Software Engineer and Consultant
Univention GmbH        Linux for Your Business        fon: +49 421 22 232- 0
Mary-Somerville-Str.1  28359 Bremen                   fax: +49 421 22 232-99
                                                    http://www.univention.de

Message #22 received at 599515@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: LaMont Jones <lamont@debian.org>

Cc: 599515@bugs.debian.org

Subject: Re: Bug#599515: bind9: CVE-2010-3752

Date: Sun, 31 Oct 2010 21:03:00 +0100

On Fri, Oct 08, 2010 at 01:18:10PM +0200, Moritz Mühlenhoff wrote:
> reopen 599515
> thanks
> 
> Am Freitag 08 Oktober 2010 12:48:15 schrieb LaMont Jones:
> > On Fri, Oct 08, 2010 at 12:30:03PM +0200, Moritz Muehlenhoff wrote:
> > > Package: bind9
> > > Severity: grave
> > > Tags: security
> > > Justification: user security hole
> > > Two security issues have been reported in Bind:
> > > http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html
> > > -> No CVE ID is available so far, but this issue only affects 9.7.2,
> > > so Squeeze/sid is not affected:
> >
> > Nor will it affect Debian, since I won't be uploading the affected version.
> 
> There are _two_ issues, one of which affects sid/squeeze; CVE-2010-3752.

*ping*

Cheers,
        Moritz

Message #27 received at 599515-submitter@bugs.debian.org (full text, mbox, reply):

From: Hideki Yamane <henrich@debian.or.jp>

To: 599515-submitter@bugs.debian.org

Subject: Re: bind9: CVE-2010-3762

Date: Sat, 4 Dec 2010 00:53:49 +0900

Hi,

> > > Nor will it affect Debian, since I won't be uploading the affected version.
> > 
> > There are _two_ issues, one of which affects sid/squeeze; CVE-2010-3752.

 No, CVE-2010-37_6_2 :)

 As maintainer marked, it's fixed in unstable. Usually, we should pick it up from 
 unstable and make smallest patch for squeeze, however - upstream also released 
 BIND 9.7.2-P3 that has at least 3 security fixes. CVE-2010-3613, CVE-2010-3614 
 and CVE-2010-3615.

 So there is a choise - make all cherry-pick patch for squeeze or push BIND 9.7.2-P3
 to squeeze. I think pushing new release is better because it can reduce difference 
 with upstream.


-- 
Regards,

 Hideki Yamane     henrich @ debian.or.jp/org
 http://wiki.debian.org/HidekiYamane

Message #34 received at 599515-done@bugs.debian.org (full text, mbox, reply):

From: bertagaz@ptitcanardnoir.org

To: 599515-done@bugs.debian.org

Cc: muehlenhoff@univention.de, 599515-submitter@bugs.debian.org

Subject: Done: Bug#599515: bind9: CVE-2010-3762

Date: Wed, 3 Aug 2011 10:57:41 +0200

Version: 1:9.7.3.dfsg-1~squeeze2

Closing this bug, as both issues seems to be fixed.

See http://security-tracker.debian.org/tracker/CVE-2010-3762 and
http://security-tracker.debian.org/tracker/DSA-2130-1

bert.

Send a report that this bug log contains spam.