Debian Bug report logs -
#386237
bind9: Security update! Please!
Reported by: Patrik Wallstrom <pawal@blipp.com>
Date: Wed, 6 Sep 2006 08:03:01 UTC
Severity: serious
Tags: patch, security
Merged with 386245
Found in versions bind9/1:9.2.4-1, bind9/1:9.3.2-2.1
Fixed in versions 1:9.3.2-P1-1, bind9/1:9.2.4-1sarge1
Done: LaMont Jones <lamont@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#386237; Package bind9.
(full text, mbox, link).
Acknowledgement sent to Patrik Wallstrom <pawal@blipp.com>:
New Bug report received and forwarded. Copy sent to LaMont Jones <lamont@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: bind9
Version: 1:9.3.2-2.1
Severity: normal
Tags: patch
http://www.niscc.gov.uk/niscc/docs/re-20060905-00590.pdf?lang=en
Since most BIND installations are also open recursive resolvers, it is too
easy to shoot down the named process from anywhere.
Source:
ftp://ftp.isc.org/isc/bind9/9.3.2-P1/bind-9.3.2-P1.tar.gz
ftp://ftp.isc.org/isc/bind9/9.3.2-P1/bind-9.3.2-P1.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.3.2-P1/bind-9.3.2-P1.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.3.2-P1/bind-9.3.2-P1.tar.gz.sha512.asc
Public key from here:
http://www.isc.org/about/openpgp/pgpkey2006.txt
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (990, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13.2
Locale: LANG=en, LC_CTYPE=sv_SE (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Versions of packages bind9 depends on:
ii adduser 3.97 Add and remove users and groups
ii libbind9-0 1:9.3.2-2.1 BIND9 Shared Library used by BIND
ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries
ii libdns21 1:9.3.2-2.1 DNS Shared Library used by BIND
ii libisc11 1:9.3.2-2.1 ISC Shared Library used by BIND
ii libisccc0 1:9.3.2-2.1 Command Channel Library used by BI
ii libisccfg1 1:9.3.2-2.1 Config File Handling Library used
ii liblwres9 1:9.3.2-2.1 Lightweight Resolver Library used
ii libssl0.9.8 0.9.8b-2 SSL shared libraries
ii lsb-base 3.1-15 Linux Standard Base 3.1 init scrip
ii netbase 4.26 Basic TCP/IP networking system
bind9 recommends no packages.
-- no debconf information
Severity set to `serious' from `normal'
Request was from LaMont Jones <lamont@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to LaMont Jones <lamont@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Patrik Wallstrom <pawal@blipp.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #14 received at 386237-close@bugs.debian.org (full text, mbox, reply):
Source: bind9
Source-Version: 1:9.3.2-P1-1
We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive:
bind9-doc_9.3.2-P1-1_all.deb
to pool/main/b/bind9/bind9-doc_9.3.2-P1-1_all.deb
bind9-host_9.3.2-P1-1_i386.deb
to pool/main/b/bind9/bind9-host_9.3.2-P1-1_i386.deb
bind9_9.3.2-P1-1.diff.gz
to pool/main/b/bind9/bind9_9.3.2-P1-1.diff.gz
bind9_9.3.2-P1-1.dsc
to pool/main/b/bind9/bind9_9.3.2-P1-1.dsc
bind9_9.3.2-P1-1_i386.deb
to pool/main/b/bind9/bind9_9.3.2-P1-1_i386.deb
bind9_9.3.2-P1.orig.tar.gz
to pool/main/b/bind9/bind9_9.3.2-P1.orig.tar.gz
dnsutils_9.3.2-P1-1_i386.deb
to pool/main/b/bind9/dnsutils_9.3.2-P1-1_i386.deb
libbind-dev_9.3.2-P1-1_i386.deb
to pool/main/b/bind9/libbind-dev_9.3.2-P1-1_i386.deb
libbind9-0_9.3.2-P1-1_i386.deb
to pool/main/b/bind9/libbind9-0_9.3.2-P1-1_i386.deb
libdns21_9.3.2-P1-1_i386.deb
to pool/main/b/bind9/libdns21_9.3.2-P1-1_i386.deb
libisc11_9.3.2-P1-1_i386.deb
to pool/main/b/bind9/libisc11_9.3.2-P1-1_i386.deb
libisccc0_9.3.2-P1-1_i386.deb
to pool/main/b/bind9/libisccc0_9.3.2-P1-1_i386.deb
libisccfg1_9.3.2-P1-1_i386.deb
to pool/main/b/bind9/libisccfg1_9.3.2-P1-1_i386.deb
liblwres9_9.3.2-P1-1_i386.deb
to pool/main/b/bind9/liblwres9_9.3.2-P1-1_i386.deb
lwresd_9.3.2-P1-1_i386.deb
to pool/main/b/bind9/lwresd_9.3.2-P1-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 386237@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
LaMont Jones <lamont@debian.org> (supplier of updated bind9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 6 Sep 2006 08:07:13 -0600
Source: bind9
Binary: libisccc0 lwresd libbind9-0 bind9-doc dnsutils bind9 libbind-dev bind9-host liblwres9 libisc11 libisccfg1 libdns21
Architecture: all i386 source
Version: 1:9.3.2-P1-1
Distribution: unstable
Urgency: high
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: LaMont Jones <lamont@debian.org>
Description:
bind9 - Internet Domain Name Server
bind9-doc - Documentation for BIND
bind9-host - Version of 'host' bundled with BIND 9.X
dnsutils - Clients provided with BIND
libbind-dev - Static Libraries and Headers used by BIND
libbind9-0 - BIND9 Shared Library used by BIND
libdns21 - DNS Shared Library used by BIND
libisc11 - ISC Shared Library used by BIND
libisccc0 - Command Channel Library used by BIND
libisccfg1 - Config File Handling Library used by BIND
liblwres9 - Lightweight Resolver Library used by BIND
lwresd - Lightweight Resolver Daemon
Closes: 239665 342957 356914 372203 386091 386224 386237 386245
Changes:
bind9 (1:9.3.2-P1-1) unstable; urgency=high
.
* New upstream, fixes CVE-2006-4095 and CVE-2006-4096.
Closes: #386237, #386245
* Drop gcc-3.4 [powerpc] dependency. Closes: #342957, #372203
* Add -fno-strict-aliasing for type-punned pointer aliasing issues
Closes: #386224
* Use getent in postinst instead of chown/chgrp. Closes: #386091, #239665
* Drop redundant update-rc.d calls. Closes: #356914
Files:
4300b25ce950ee43c46e528d44289d0d 107540 net standard bind9-host_9.3.2-P1-1_i386.deb
493c9774c810fa2cb0fcb80e1e551f84 285196 net optional bind9_9.3.2-P1-1_i386.deb
49bef4db312e0df38a0d2b640143de26 199574 net optional lwresd_9.3.2-P1-1_i386.deb
6e68b98e1752ab306221c3fb6be5efde 105836 libs standard liblwres9_9.3.2-P1-1_i386.deb
7caf939d49a12e93e8472ac9177c1951 977156 libdevel optional libbind-dev_9.3.2-P1-1_i386.deb
895e86142c4cc0caefa60bfb6ce727ef 86899 net optional bind9_9.3.2-P1-1.diff.gz
a0b86647ef6a2d5f1e759112d08e2229 5303237 net optional bind9_9.3.2-P1.orig.tar.gz
a23dfc2a091bb32e3cdadef1993c3633 174190 net standard dnsutils_9.3.2-P1-1_i386.deb
b105b11854951e9b26f01a44256bd674 460296 libs standard libdns21_9.3.2-P1-1_i386.deb
c543dd20c1ae994d9103ca7d9f929764 101562 libs optional libisccfg1_9.3.2-P1-1_i386.deb
c705733a986b7cfde668a6253d2d192e 90226 libs standard libbind9-0_9.3.2-P1-1_i386.deb
d9df445ee56b397ae0e3cb14716d6d9b 180174 doc optional bind9-doc_9.3.2-P1-1_all.deb
c2d4b405b797499a4b4b7d2a464441d7 757 net optional bind9_9.3.2-P1-1.dsc
f9362f82a213092f53dc2861574835cf 90182 libs optional libisccc0_9.3.2-P1-1_i386.deb
fd7db16323a70ccc366f3b54ba4d04ad 164274 libs standard libisc11_9.3.2-P1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFE/t+SzN/kmwoKyScRAo32AJ9jF5NbWD8TcJSQlfMjsIwpLE+zggCgm5Rv
q/9ztk5jcRIEwrvNV4l86i0=
=iFHS
-----END PGP SIGNATURE-----
Reply sent to LaMont Jones <lamont@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Christian Hammers <ch@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#386237; Package bind9.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>.
(full text, mbox, link).
Message #24 received at 386237@bugs.debian.org (full text, mbox, reply):
Does this patch work with just plain ole 'bind' (not bind9)? That
package also seems vulnerable...
Micah
Patrik Wallstrom wrote:
> Package: bind9
> Version: 1:9.3.2-2.1
> Severity: normal
> Tags: patch
>
>
> http://www.niscc.gov.uk/niscc/docs/re-20060905-00590.pdf?lang=en
>
> Since most BIND installations are also open recursive resolvers, it is too
> easy to shoot down the named process from anywhere.
>
> Source:
> ftp://ftp.isc.org/isc/bind9/9.3.2-P1/bind-9.3.2-P1.tar.gz
> ftp://ftp.isc.org/isc/bind9/9.3.2-P1/bind-9.3.2-P1.tar.gz.asc
> ftp://ftp.isc.org/isc/bind9/9.3.2-P1/bind-9.3.2-P1.tar.gz.sha256.asc
> ftp://ftp.isc.org/isc/bind9/9.3.2-P1/bind-9.3.2-P1.tar.gz.sha512.asc
>
> Public key from here:
> http://www.isc.org/about/openpgp/pgpkey2006.txt
>
> -- System Information:
> Debian Release: testing/unstable
> APT prefers unstable
> APT policy: (990, 'unstable')
> Architecture: i386 (i686)
> Shell: /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.13.2
> Locale: LANG=en, LC_CTYPE=sv_SE (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
>
> Versions of packages bind9 depends on:
> ii adduser 3.97 Add and remove users and groups
> ii libbind9-0 1:9.3.2-2.1 BIND9 Shared Library used by BIND
> ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries
> ii libdns21 1:9.3.2-2.1 DNS Shared Library used by BIND
> ii libisc11 1:9.3.2-2.1 ISC Shared Library used by BIND
> ii libisccc0 1:9.3.2-2.1 Command Channel Library used by BI
> ii libisccfg1 1:9.3.2-2.1 Config File Handling Library used
> ii liblwres9 1:9.3.2-2.1 Lightweight Resolver Library used
> ii libssl0.9.8 0.9.8b-2 SSL shared libraries
> ii lsb-base 3.1-15 Linux Standard Base 3.1 init scrip
> ii netbase 4.26 Basic TCP/IP networking system
>
> bind9 recommends no packages.
>
> -- no debconf information
>
>
Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#386237; Package bind9.
(full text, mbox, link).
Acknowledgement sent to Patrik Wallstrom <pawal@blipp.com>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>.
(full text, mbox, link).
Message #29 received at 386237@bugs.debian.org (full text, mbox, reply):
On Wed, 06 Sep 2006, Micah Anderson wrote:
> Does this patch work with just plain ole 'bind' (not bind9)? That
> package also seems vulnerable...
No, there are separate packages för BIND 8. (All BIND users should
upgrade to version 9 anyway.)
All new versions are published at isc.org.
--
patrik_wallstrom->foodfight->pawal@blipp.com->+46-733173956
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#386237; Package bind9.
(full text, mbox, link).
Acknowledgement sent to LaMont Jones <lamont@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #34 received at 386237@bugs.debian.org (full text, mbox, reply):
On Wed, Sep 06, 2006 at 07:33:34PM +0200, Patrik Wallstrom wrote:
> On Wed, 06 Sep 2006, Micah Anderson wrote:
> > Does this patch work with just plain ole 'bind' (not bind9)? That
> > package also seems vulnerable...
> No, there are separate packages för BIND 8. (All BIND users should
> upgrade to version 9 anyway.)
> All new versions are published at isc.org.
And neither CVE-2006-4095 nor CVE-2006-4096 affect BIND 8, according
to the CERT advisory.
lamont
Bug reopened, originator not changed.
Request was from Steinar H. Gunderson <sesse@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 1:9.3.2-P1-1, send any further explanations to Patrik Wallstrom <pawal@blipp.com>
Request was from Steinar H. Gunderson <sesse@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to LaMont Jones <lamont@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Patrik Wallstrom <pawal@blipp.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #43 received at 386237-close@bugs.debian.org (full text, mbox, reply):
Source: bind9
Source-Version: 1:9.2.4-1sarge1
We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive:
bind9-doc_9.2.4-1sarge1_all.deb
to pool/main/b/bind9/bind9-doc_9.2.4-1sarge1_all.deb
bind9-host_9.2.4-1sarge1_powerpc.deb
to pool/main/b/bind9/bind9-host_9.2.4-1sarge1_powerpc.deb
bind9_9.2.4-1sarge1.diff.gz
to pool/main/b/bind9/bind9_9.2.4-1sarge1.diff.gz
bind9_9.2.4-1sarge1.dsc
to pool/main/b/bind9/bind9_9.2.4-1sarge1.dsc
bind9_9.2.4-1sarge1_powerpc.deb
to pool/main/b/bind9/bind9_9.2.4-1sarge1_powerpc.deb
dnsutils_9.2.4-1sarge1_powerpc.deb
to pool/main/b/bind9/dnsutils_9.2.4-1sarge1_powerpc.deb
libbind-dev_9.2.4-1sarge1_powerpc.deb
to pool/main/b/bind9/libbind-dev_9.2.4-1sarge1_powerpc.deb
libdns16_9.2.4-1sarge1_powerpc.deb
to pool/main/b/bind9/libdns16_9.2.4-1sarge1_powerpc.deb
libisc7_9.2.4-1sarge1_powerpc.deb
to pool/main/b/bind9/libisc7_9.2.4-1sarge1_powerpc.deb
libisccc0_9.2.4-1sarge1_powerpc.deb
to pool/main/b/bind9/libisccc0_9.2.4-1sarge1_powerpc.deb
libisccfg0_9.2.4-1sarge1_powerpc.deb
to pool/main/b/bind9/libisccfg0_9.2.4-1sarge1_powerpc.deb
liblwres1_9.2.4-1sarge1_powerpc.deb
to pool/main/b/bind9/liblwres1_9.2.4-1sarge1_powerpc.deb
lwresd_9.2.4-1sarge1_powerpc.deb
to pool/main/b/bind9/lwresd_9.2.4-1sarge1_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 386237@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
LaMont Jones <lamont@debian.org> (supplier of updated bind9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 6 Sep 2006 10:03:20 -0600
Source: bind9
Binary: libisccc0 libdns16 lwresd bind9-doc dnsutils bind9 libbind-dev libisc7 libisccfg0 bind9-host liblwres1
Architecture: source powerpc all
Version: 1:9.2.4-1sarge1
Distribution: stable
Urgency: low
Maintainer: Martin Schulze <joey@debian.org>
Changed-By: LaMont Jones <lamont@debian.org>
Description:
bind9 - Internet Domain Name Server
bind9-doc - Documentation for BIND
bind9-host - Version of 'host' bundled with BIND 9.X
dnsutils - Clients provided with BIND
libbind-dev - Static Libraries and Headers used by BIND
libdns16 - DNS Shared Library used by BIND
libisc7 - ISC Shared Library used by BIND
libisccc0 - Command Channel Library used by BIND
libisccfg0 - Config File Handling Library used by BIND
liblwres1 - Lightweight Resolver Library used by BIND
lwresd - Lightweight Resolver Daemon
Closes: 386237 386245
Changes:
bind9 (1:9.2.4-1sarge1) stable; urgency=low
.
* Backport bugfix for 1941 from 9.2.6-P1. Closes: #386237, #386245
- fixes CVE-2006-4095 and CVE-2006-4096.
- ncache_adderesult() should set eresult even if no rdataset is passed
to it. [RT #15642]
Files:
1c1f68802373715b71c85df3a4e42959 742 net optional bind9_9.2.4-1sarge1.dsc
2ccbddbab59aedd6b8711b628b5472bd 4564219 net optional bind9_9.2.4.orig.tar.gz
dccd8daf65751535821c1d5feb007782 91537 net optional bind9_9.2.4-1sarge1.diff.gz
df36851fe572ba9372f51c42225434e8 156816 doc optional bind9-doc_9.2.4-1sarge1_all.deb
d5cc4b04035ea481efb5250d61283e31 282768 net optional bind9_9.2.4-1sarge1_powerpc.deb
eed4524990cf16a591e57ef61470c09c 93750 net standard bind9-host_9.2.4-1sarge1_powerpc.deb
234ce0842c3ac7a207e3b7b698572647 1109584 libdevel optional libbind-dev_9.2.4-1sarge1_powerpc.deb
20e302aada3ef87960e3060adf8c058e 462120 libs standard libdns16_9.2.4-1sarge1_powerpc.deb
146b977cef2b4ff312d88ee69d9a911d 158568 libs standard libisc7_9.2.4-1sarge1_powerpc.deb
04eb51f3b1e31cd6ea32df7f84674d79 94398 libs standard liblwres1_9.2.4-1sarge1_powerpc.deb
4c76f8a6fd2f8b87c6ac6b252d97cff5 78214 libs optional libisccc0_9.2.4-1sarge1_powerpc.deb
eacee514e6e33b3958c58d848c7c89e4 92182 libs optional libisccfg0_9.2.4-1sarge1_powerpc.deb
e1b2319a705cfd55c868428e3fc223da 160356 net standard dnsutils_9.2.4-1sarge1_powerpc.deb
d1da6cec7019371c0ed92a354b764875 180672 net optional lwresd_9.2.4-1sarge1_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFAB3MW5ql+IAeqTIRApJvAJwMrwoGOLZ8NGb9aheKHUTe0RfnRgCfYWea
FQL7oqlJNEFXcO377sC4Tjk=
=DPNL
-----END PGP SIGNATURE-----
Reply sent to LaMont Jones <lamont@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Christian Hammers <ch@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 06:27:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:21:34 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon