bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME

Debian Bug report logs - #860225
bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME

Date: Thu, 13 Apr 2017 06:35:11 +0200

Source: bind9
Version: 1:9.9.5.dfsg-9
Severity: grave
Tags: patch upstream security fixed-upstream

Hi,

the following vulnerability was published for bind9.

CVE-2017-3137[0]:
|A response packet can cause a resolver to terminate when processing an
|answer containing a CNAME or DNAME

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-3137
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3137
[1] https://kb.isc.org/article/AA-01466

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Message #10 received at 860225@bugs.debian.org (full text, mbox, reply):

From: Jan Korbel <debian@teptin.net>

To: 860225@bugs.debian.org

Subject: assertion failure

Date: Mon, 24 Apr 2017 10:00:41 +0200

Hello.

Our bind9 in jessie exited due to assertion failure today. On bind-user
i found it was because CVE-2017-3137. Please apply upstream patches. Thx.

links:

https://www.mail-archive.com/bind-users@lists.isc.org/msg24356.html
https://security-tracker.debian.org/tracker/CVE-2017-3137

logs:

Apr 24 08:41:31 server named[20579]: resolver.c:4350: INSIST(fctx->type == ((dns_rdatatype_t)dns_rdatatype_any) ||
  fctx->type == ((dns_rdatatype_t)dns_rdatatype_rrsig) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_sig)) failed, back trace
Apr 24 08:41:31 server named[20579]: #0 0xb7789ec3 in ??
Apr 24 08:41:31 server named[20579]: #1 0xb71207e5 in ??
Apr 24 08:41:31 server named[20579]: #2 0xb75e47be in ??
Apr 24 08:41:31 server named[20579]: #3 0xb7143a7c in ??
Apr 24 08:41:31 server named[20579]: #4 0xb70f3ee2 in ??
Apr 24 08:41:31 server named[20579]: #5 0xb6ea9afe in ??
Apr 24 08:41:31 server named[20579]: exiting (due to assertion failure)

Regards,

jc

Message #15 received at 860225@bugs.debian.org (full text, mbox, reply):

From: "Jan Sechovec (skudlik)" <skudlik@mail.klfree.net>

To: 860225@bugs.debian.org

Subject: Re: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME

Date: Tue, 25 Apr 2017 06:54:21 +0200

Hello,

Debian Jessie, bind9  9:1:9.9.5.dfsg-9+deb8u10

Same problem, bind gets down after few hours... something has started 
abusing this vulnerability.

24-Apr-2017 23:21:22.592 resolver.c:4350: INSIST(fctx->type == 
((dns_rdatatype_t)dns_rdatatype_any) || fctx->type == 
((dns_rdatatype_t)dns_rdatatype_rrsig) || fctx->type == 
((dns_rdatatype_t)dns_rdatatype_sig)) failed, back trace
24-Apr-2017 23:21:22.592 #0 0x7eff74c11a00 in ??
24-Apr-2017 23:21:22.592 #1 0x7eff72ded8ea in ??
24-Apr-2017 23:21:22.592 #2 0x7eff744d314e in ??
24-Apr-2017 23:21:22.592 #3 0x7eff72e0fd5b in ??
24-Apr-2017 23:21:22.592 #4 0x7eff727c0064 in ??
24-Apr-2017 23:21:22.592 #5 0x7eff7218e62d in ??
24-Apr-2017 23:21:22.592 exiting (due to assertion failure)

The problem is for us really critical.

Thanks in advance,

Jan

Message #20 received at 860225@bugs.debian.org (full text, mbox, reply):

From: Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>

To: 860225@bugs.debian.org

Subject: Assertion failure with bind9 1:9.9.5.dfsg-9+deb8u10

Date: Thu, 27 Apr 2017 12:06:37 +0100

[Message part 1 (text/plain, inline)]

Hi,

In have both my DNS resolv servers aborting randomly with assertion failure since beginning of last week. Since then we have these crashes almost every day, and sometimes in both servers almost at the time.
I see that ISC already publish a fixed version last week, but it seems that Debian is later than other distributions in getting a backport if this fix.

Here’s a sample of is being written to syslog:

—8<—
2017-04-20T03:08:16.862168+01:00 server named[12129]: resolver.c:4350: INSIST(fctx->type == ((dns_rdatatype_t)dns_rdatatype_any) || fctx->t
ype == ((dns_rdatatype_t)dns_rdatatype_rrsig) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_sig)) failed, back trace
2017-04-20T03:08:16.862596+01:00 server named[12129]: #0 0x7fc984c76a00 in ??
2017-04-20T03:08:16.862880+01:00 server named[12129]: #1 0x7fc982e528ea in ??
2017-04-20T03:08:16.863163+01:00 server named[12129]: #2 0x7fc98453814e in ??
2017-04-20T03:08:16.863426+01:00 server named[12129]: #3 0x7fc982e74d5b in ??
2017-04-20T03:08:16.863695+01:00 server named[12129]: #4 0x7fc982825064 in ??
2017-04-20T03:08:16.863958+01:00 server named[12129]: #5 0x7fc9821f362d in ??
2017-04-20T03:08:16.864237+01:00 server named[12129]: exiting (due to assertion failure)
—>8—

# dpkg -l | grep bind9
ii  bind9                          1:9.9.5.dfsg-9+deb8u10       amd64        Internet Domain Name Server
[…]

# lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 8.7 (jessie)
Release:	8.7
Codename:	jessie

# uname -a
Linux server 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux


Best regards,
Jorge Daniel Sequeira Matias

[signature.asc (application/pgp-signature, attachment)]

Message #25 received at 860225@bugs.debian.org (full text, mbox, reply):

From: Luca Galassi <luca.galassi@acantho.com>

To: Debian Bug Tracking System <860225@bugs.debian.org>

Subject: Re: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME

Date: Thu, 27 Apr 2017 16:33:09 +0200

Package: bind9
Version: 1:9.9.5.dfsg-9+deb8u10
Followup-For: Bug #860225

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages bind9 depends on:
ii  adduser                3.113+nmu3
ii  bind9utils             1:9.9.5.dfsg-9+deb8u10
ii  debconf [debconf-2.0]  1.5.56
ii  init-system-helpers    1.22
ii  libbind9-90            1:9.9.5.dfsg-9+deb8u10
ii  libc6                  2.19-18+deb8u7
ii  libcap2                1:2.24-8
ii  libcomerr2             1.42.12-2+b1
ii  libdns100              1:9.9.5.dfsg-9+deb8u10
ii  libgssapi-krb5-2       1.12.1+dfsg-19+deb8u2
ii  libisc95               1:9.9.5.dfsg-9+deb8u10
ii  libisccc90             1:9.9.5.dfsg-9+deb8u10
ii  libisccfg90            1:9.9.5.dfsg-9+deb8u10
ii  libk5crypto3           1.12.1+dfsg-19+deb8u2
ii  libkrb5-3              1.12.1+dfsg-19+deb8u2
ii  liblwres90             1:9.9.5.dfsg-9+deb8u10
ii  libssl1.0.0            1.0.1t-1+deb8u6
ii  libxml2                2.9.1+dfsg1-5+deb8u4
ii  lsb-base               4.1+Debian13+nmu1
ii  net-tools              1.60-26+b1
ii  netbase                5.3

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind9-doc   <none>
ii  dnsutils    1:9.9.5.dfsg-9+deb8u10
pn  resolvconf  <none>
pn  ufw         <none>

-- Configuration Files:
/etc/bind/named.conf.local changed:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// zone di cui ns2 e' slave di ns1
include "/etc/bind/named.conf.local.slave";
//zone di reverse
include "/etc/bind/named.conf.local.reverse";
// zone di cui ns2 e' slave di server clienti
include "/etc/bind/named.conf.local.slave_ext";
// zone bloccate dall'autority;
include "/etc/bind/named.conf.local.bloccati";
//
// Aggiungere qui solamente le zone MASTER
//
zone "acantho.net" IN {
        type master;
        file "/etc/bind/master/acantho.net";
};
// *************
//
// le zone seguenti sono interne ad acantho, e devono avere la restrizione:
// allow-query { dns-allowed-internal; };
//
// ************
zone "acantho.nt" IN {
        type master;
        file "/etc/bind/master/acantho.nt";
        allow-query { dns-allowed-internal; };
};
zone "acantho.idc" IN {
        type master;
        file "/etc/bind/master/acantho.idc";
};
zone "noc.acantho.idc" {
        type master;                    // what used to be called "primary"
        file "/etc/bind/master/noc.acantho.idc";
        allow-query { dns-allowed-internal; };
        sig-validity-interval 990;
};
zone "acantho.sys" {
        type master;                    // what used to be called "primary"
        file "/etc/bind/master/acantho.sys";
        allow-query { dns-allowed-internal; };
};


-- debconf information:
  bind9/different-configuration-file:
  bind9/start-as-user: bind
  bind9/run-resolvconf: false





root@ns2:/var/log# grep named syslog | grep " 13:1"
Apr 27 13:10:23 ns2 named[29566]: rate-limit: would stop limiting NXDOMAIN responses to 213.209.226.5/32 for smg.ultra.brightmail.com  (3b7d8bd6)
Apr 27 13:10:47 ns2 named[29566]: rate-limit: would continue limiting NXDOMAIN responses to 213.174.182.194/32 for zen.spamhaus.org  (393fe905)
Apr 27 13:11:05 ns2 named[29566]: rate-limit: would continue limiting NXDOMAIN responses to 77.89.18.196/32 for zen.spamhaus.org  (393fe905)
Apr 27 13:11:05 ns2 named[29566]: rate-limit: would continue limiting NXDOMAIN responses to 77.89.18.196/32 for sbl.spamhaus.org  (393fe6b1)
Apr 27 13:11:45 ns2 named[29566]: general: resolver.c:4350: INSIST(fctx->type == ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_rrsig) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_sig)) failed, back trace
Apr 27 13:11:45 ns2 named[29566]: general: #0 0x7fcb266dfa00 in ??
Apr 27 13:11:45 ns2 named[29566]: general: #1 0x7fcb248bb8ea in ??
Apr 27 13:11:45 ns2 named[29566]: general: #2 0x7fcb25fa114e in ??
Apr 27 13:11:45 ns2 named[29566]: general: #3 0x7fcb248ddd5b in ??
Apr 27 13:11:45 ns2 named[29566]: general: #4 0x7fcb2428e064 in ??
Apr 27 13:11:45 ns2 named[29566]: general: #5 0x7fcb23c5c62d in ??
Apr 27 13:11:45 ns2 named[29566]: general: exiting (due to assertion failure)



This issiue is very critical for us!

This event happended twice in three days.

Best regards.

Luca Galassi
Acantho

Message #30 received at 860225@bugs.debian.org (full text, mbox, reply):

From: Cédric Dufour - Idiap Research Institute <cedric.dufour@idiap.ch>

To: 860225@bugs.debian.org

Subject: Re: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME

Date: Sun, 7 May 2017 13:55:28 +0200

Same here.

Multi/redundant DNS servers do not help, the culprit recursive query being sent multiple times by client as each DNS server falls in turn.
And multi-$$$$ firewall/IPS doesn't help catching the faulty packets :-(

I may state the obvious, but only workaround so far is (already saved the night a few times):
$ cat /etc/cron.d/cve-2017-3137 
# Make sure BIND9 has not crashed (cf. CVE-2017-3137)
* * * * * root pgrep named >/dev/null || service bind9 restart
(not so elegant however)

Any hope Debian/Stable BIND gets patched ?
(that's a pretty severe DoS vulnerability we have here)

Thanks and sincerily,

Cédric

Message #37 received at 860225@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 860224@bugs.debian.org, 860225@bugs.debian.org, 860226@bugs.debian.org

Cc: fw@debian.org, mgilbert@debian.org

Subject: bind9: diff for NMU version 1:9.10.3.dfsg.P4-12.3

Date: Sun, 7 May 2017 16:38:37 +0200

[Message part 1 (text/plain, inline)]

Control: tags 860224 + patch
Control: tags 860224 + pending
Control: tags 860225 + pending
Control: tags 860226 + patch
Control: tags 860226 + pending

Dear maintainer,

I've prepared an NMU for bind9 (versioned as 1:9.10.3.dfsg.P4-12.3) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Please note, I could not test bind9 under real conditions with those
patches. The testsuite passed though the dname tests.

I'm cc'ing as well Mike and Florian for possible review.

Furthermore the version for jessie ist still not yet done.

Regards,
Salvatore

[bind9_9.10.3.dfsg.P4-12.3.debdiff (text/plain, attachment)]

Message #42 received at 860225@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 860225@bugs.debian.org

Cc: 860224@bugs.debian.org, 860226@bugs.debian.org, fw@debian.org

Subject: Re: Bug#860225: bind9: diff for NMU version 1:9.10.3.dfsg.P4-12.3

Date: Mon, 8 May 2017 18:23:23 -0400

On Sun, May 7, 2017 at 10:38 AM, Salvatore Bonaccorso wrote:
> I've prepared an NMU for bind9 (versioned as 1:9.10.3.dfsg.P4-12.3) and
> uploaded it to DELAYED/5. Please feel free to tell me if I
> should delay it longer.

Hi Salvatore,

I reviewed the diff.  It does look correct to me, so please feel free
to remove the delay.

I don't have the free time to prepare the jessie DSA right now, are
you willing to do it?

Best wishes,
Mike

Message #47 received at 860225@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 860225@bugs.debian.org

Cc: 860224@bugs.debian.org, 860226@bugs.debian.org, fw@debian.org

Subject: Re: Bug#860225: bind9: diff for NMU version 1:9.10.3.dfsg.P4-12.3

Date: Mon, 8 May 2017 18:28:51 -0400

On Mon, May 8, 2017 at 6:23 PM, Michael Gilbert wrote:
> I reviewed the diff.  It does look correct to me, so please feel free
> to remove the delay.

There is also CVE-2017-3139 now [0].

Best wishes,
Mike

[0] https://access.redhat.com/errata/RHSA-2017:1202

Message #52 received at 860225@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Michael Gilbert <mgilbert@debian.org>

Cc: 860225@bugs.debian.org, 860224@bugs.debian.org, 860226@bugs.debian.org, fw@debian.org

Subject: Re: Bug#860225: bind9: diff for NMU version 1:9.10.3.dfsg.P4-12.3

Date: Tue, 9 May 2017 06:26:47 +0200

Hi Michael,

On Mon, May 08, 2017 at 06:23:23PM -0400, Michael Gilbert wrote:
> On Sun, May 7, 2017 at 10:38 AM, Salvatore Bonaccorso wrote:
> > I've prepared an NMU for bind9 (versioned as 1:9.10.3.dfsg.P4-12.3) and
> > uploaded it to DELAYED/5. Please feel free to tell me if I
> > should delay it longer.
> 
> Hi Salvatore,
> 
> I reviewed the diff.  It does look correct to me, so please feel free
> to remove the delay.

Okay rescheduled!

> I don't have the free time to prepare the jessie DSA right now, are
> you willing to do it?

Okay I will try to come up with the patchset/debdiff and will post it
here for testing.

Regards,
Salvatore

Message #57 received at 860225@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Michael Gilbert <mgilbert@debian.org>

Cc: 860225@bugs.debian.org, 860224@bugs.debian.org, 860226@bugs.debian.org, fw@debian.org

Subject: Re: Bug#860225: bind9: diff for NMU version 1:9.10.3.dfsg.P4-12.3

Date: Tue, 9 May 2017 06:28:19 +0200

Hi,

On Mon, May 08, 2017 at 06:28:51PM -0400, Michael Gilbert wrote:
> On Mon, May 8, 2017 at 6:23 PM, Michael Gilbert wrote:
> > I reviewed the diff.  It does look correct to me, so please feel free
> > to remove the delay.
> 
> There is also CVE-2017-3139 now [0].

This should only affect Red Hat bind9 version as in Red Hat 6 and not
ustream bind, so Debian should furthermore not be affected by this.
Was this assessment wrong?

Regards,
Salvatore

Message #62 received at 860225-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 860225-close@bugs.debian.org

Subject: Bug#860225: fixed in bind9 1:9.10.3.dfsg.P4-12.3

Date: Tue, 09 May 2017 04:48:34 +0000

Source: bind9
Source-Version: 1:9.10.3.dfsg.P4-12.3

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860225@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 07 May 2017 15:22:46 +0200
Source: bind9
Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-140 libdns162 libirs141 libisc160 liblwres141 libisccc140 libisccfg140 dnsutils lwresd libbind-export-dev libdns-export162 libdns-export162-udeb libisc-export160 libisc-export160-udeb libisccfg-export140 libisccc-export140 libisccc-export140-udeb libisccfg-export140-udeb libirs-export141 libirs-export141-udeb
Architecture: all source
Version: 1:9.10.3.dfsg.P4-12.3
Distribution: unstable
Urgency: high
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 860224 860225 860226
Description: 
 bind9      - Internet Domain Name Server
 bind9-doc  - Documentation for BIND
 bind9-host - Version of 'host' bundled with BIND 9.X
 bind9utils - Utilities for BIND
 dnsutils   - Clients provided with BIND
 host       - Transitional package
 libbind-dev - Static Libraries and Headers used by BIND
 libbind-export-dev - Development files for the exported BIND libraries
 libbind9-140 - BIND9 Shared Library used by BIND
 libdns-export162 - Exported DNS Shared Library
 libdns-export162-udeb - Exported DNS library for debian-installer (udeb)
 libdns162  - DNS Shared Library used by BIND
 libirs-export141 - Exported IRS Shared Library
 libirs-export141-udeb - Exported IRS library for debian-installer (udeb)
 libirs141  - DNS Shared Library used by BIND
 libisc-export160 - Exported ISC Shared Library
 libisc-export160-udeb - Exported ISC library for debian-installer (udeb)
 libisc160  - ISC Shared Library used by BIND
 libisccc-export140 - Command Channel Library used by BIND
 libisccc-export140-udeb - Command Channel Library used by BIND (udeb)
 libisccc140 - Command Channel Library used by BIND
 libisccfg-export140 - Exported ISC CFG Shared Library
 libisccfg-export140-udeb - Exported ISC CFG library for debian-installer (udeb)
 libisccfg140 - Config File Handling Library used by BIND
 liblwres141 - Lightweight Resolver Library used by BIND
 lwresd     - Lightweight Resolver Daemon
Changes:
 bind9 (1:9.10.3.dfsg.P4-12.3) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Dns64 with "break-dnssec yes;" can result in a assertion failure
     (CVE-2017-3136) (Closes: #860224)
   * Some chaining (CNAME or DNAME) responses to upstream queries could trigger
     assertion failures (CVE-2017-3137) (Closes: #860225)
   * 'rndc ""' could trigger a assertion failure in named (CVE-2017-3138)
     (Closes: #860226)
Checksums-Sha1: 
 c42a613458bb1a31a8dfc902fbdf4cb28134f0bf 3913 bind9_9.10.3.dfsg.P4-12.3.dsc
 292ae99f2860c761f4242e47e555be65a3b0b002 81480 bind9_9.10.3.dfsg.P4-12.3.debian.tar.xz
 ac70390e89047a73cda40e04dfdfbe982daaa935 377824 bind9-doc_9.10.3.dfsg.P4-12.3_all.deb
 6839fa4972999805ed716e7c2ce1f1e12a2d7e86 185186 host_9.10.3.dfsg.P4-12.3_all.deb
Checksums-Sha256: 
 b39ed8bb8cade9b939ee8fd0144097f046db8392c4f3cf1e7ee5c97e6a3f0417 3913 bind9_9.10.3.dfsg.P4-12.3.dsc
 4dd1a5764ac39275598bf96f45d3d7f92d9c0f11d96bebe7b652ed85ada1e98f 81480 bind9_9.10.3.dfsg.P4-12.3.debian.tar.xz
 2978dd2869f0d780b8616922d8446993533fcd59565a828961c4b0acb5637763 377824 bind9-doc_9.10.3.dfsg.P4-12.3_all.deb
 cfe04de2b313771e1dc9ddbb466afbe17378427b49fad1fd94dd6e3500f23c63 185186 host_9.10.3.dfsg.P4-12.3_all.deb
Files: 
 938c0473b9a3fa2b52cbdf7b264794c7 3913 net optional bind9_9.10.3.dfsg.P4-12.3.dsc
 0b8b0bfd27b6247252fc4d2aa55b20c7 81480 net optional bind9_9.10.3.dfsg.P4-12.3.debian.tar.xz
 d0d2c67da0ad57da02d5e4c240e1c441 377824 doc optional bind9-doc_9.10.3.dfsg.P4-12.3_all.deb
 ac6b79f92b9eceebca43b8d697f9e59e 185186 net standard host_9.10.3.dfsg.P4-12.3_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlkPMbxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ElZcP/19SYv4n3Lo4WCPCIjSbLN5v1YxUSc45
te6NFRi70CTP5vYAX4W5v2HazHvvpCaAYQUxjbd+RuaARiKsl//iOsHkHHMcl27t
9Gs++KQXJYhqRbDuUcxY7oS0AQ5a1RYGJRJABxJ2fZ2eA/W8IcCX0R3bLrboHvjt
W8M7CnUn83mfl4oIIuUHHUSLJMHOuwfyKVQQ3DRwcemGJBrxvXi0DVxel6rHr9cj
+83xj3gKKAnJ82A7rjbtcPD61Bxc1AXCTanUPHNLUux52oRhVXFHMDFGkj4dhyxR
Y68Sn4aGoEaWshdMmkJqSxFEGSiXx4cfbO/WRag6qEOhTI+KVQIDwfA9iACD8Ej2
Grgtirap+gzbnZ+5DWFN/ieUMbDgsN8mw8D7zO8gnXAKs+ljVD7/OsBY4yD0MZef
eIsbRlMkx/2P2grtTQ9n4bAThju0wqXHyd+yBdNcqBLTz1hhsENB23PP6C9kTBKN
oN6VULdUpW9TRIykhU746dyLQjjs2sHyTioeHSNV53f2YcSp+rKmv7bM0DWSUqVg
38unXRkN8kUJ+8+zGO9Kq7PJYPfiQ+RO0BuZUmSD+d3itAdab41nyxFhu9tMklyf
u9TRl8F0gOH7NYHnq/Digr3Sixzy2nROBwF4TEq+XaKhdGm3yOUobga/+80WKw1c
vmD3pFVRwmr9
=t00v
-----END PGP SIGNATURE-----

Message #67 received at 860225@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 860225@bugs.debian.org

Cc: Jan Korbel <debian@teptin.net>, "Jan Sechovec (skudlik)" <skudlik@mail.klfree.net>, Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>, Luca Galassi <luca.galassi@acantho.com>, C??dric Dufour - Idiap Research Institute <cedric.dufour@idiap.ch>

Subject: Re: Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME

Date: Thu, 11 May 2017 08:19:15 +0200

[Message part 1 (text/plain, inline)]

Hi

Packages for testing can be found at:

https://people.debian.org/~carnil/tmp/bind9/

(amd64 build only), and attached the debdiff.

I would appreciate any testing feedback from people mentioning in this
bug that they are affected by the issue.

Thanks already in advance,

Regards,
Salvatore

[bind9_9.9.5.dfsg-9+deb8u10.debdiff (text/plain, attachment)]

Message #72 received at 860225@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 860225@bugs.debian.org

Cc: Jan Korbel <debian@teptin.net>, "Jan Sechovec (skudlik)" <skudlik@mail.klfree.net>, Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>, Luca Galassi <luca.galassi@acantho.com>, C??dric Dufour - Idiap Research Institute <cedric.dufour@idiap.ch>

Subject: Re: Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME

Date: Thu, 11 May 2017 08:27:57 +0200

On Thu, May 11, 2017 at 08:19:15AM +0200, Salvatore Bonaccorso wrote:
> Hi
> 
> Packages for testing can be found at:
> 
> https://people.debian.org/~carnil/tmp/bind9/
> 
> (amd64 build only), and attached the debdiff.

There was an error in those  packages and I have removed them again.

Salvatore

Message #77 received at 860225@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 860225@bugs.debian.org

Cc: Jan Korbel <debian@teptin.net>, "Jan Sechovec (skudlik)" <skudlik@mail.klfree.net>, Jorge Daniel Sequeira Matias <jdsm@tecnico.ulisboa.pt>, Luca Galassi <luca.galassi@acantho.com>, C??dric Dufour - Idiap Research Institute <cedric.dufour@idiap.ch>

Subject: Re: Bug#860225: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME

Date: Thu, 11 May 2017 08:50:57 +0200

[Message part 1 (text/plain, inline)]

On Thu, May 11, 2017 at 08:27:57AM +0200, Salvatore Bonaccorso wrote:
> On Thu, May 11, 2017 at 08:19:15AM +0200, Salvatore Bonaccorso wrote:
> > Hi
> > 
> > Packages for testing can be found at:
> > 
> > https://people.debian.org/~carnil/tmp/bind9/
> > 
> > (amd64 build only), and attached the debdiff.
> 
> There was an error in those  packages and I have removed them again.

Corrected version re-uploaded.

Regards,
Salvatore

[bind9_9.9.5.dfsg-9+deb8u11.debdiff (text/plain, attachment)]

Message #82 received at 860225-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 860225-close@bugs.debian.org

Subject: Bug#860225: fixed in bind9 1:9.9.5.dfsg-9+deb8u11

Date: Sat, 27 May 2017 12:32:09 +0000

Source: bind9
Source-Version: 1:9.9.5.dfsg-9+deb8u11

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860225@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 11 May 2017 08:39:19 +0200
Source: bind9
Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-90 libdns100 libisc95 liblwres90 libisccc90 libisccfg90 dnsutils lwresd libbind-export-dev libdns-export100 libdns-export100-udeb libisc-export95 libisc-export95-udeb libisccfg-export90 libisccfg-export90-udeb libirs-export91 libirs-export91-udeb
Architecture: all source
Version: 1:9.9.5.dfsg-9+deb8u11
Distribution: jessie-security
Urgency: high
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 860224 860225 860226
Description: 
 bind9      - Internet Domain Name Server
 bind9-doc  - Documentation for BIND
 bind9-host - Version of 'host' bundled with BIND 9.X
 bind9utils - Utilities for BIND
 dnsutils   - Clients provided with BIND
 host       - Transitional package
 libbind-dev - Static Libraries and Headers used by BIND
 libbind-export-dev - Development files for the exported BIND libraries
 libbind9-90 - BIND9 Shared Library used by BIND
 libdns-export100 - Exported DNS Shared Library
 libdns-export100-udeb - Exported DNS library for debian-installer (udeb)
 libdns100  - DNS Shared Library used by BIND
 libirs-export91 - Exported IRS Shared Library
 libirs-export91-udeb - Exported IRS library for debian-installer (udeb)
 libisc-export95 - Exported ISC Shared Library
 libisc-export95-udeb - Exported ISC library for debian-installer (udeb)
 libisc95   - ISC Shared Library used by BIND
 libisccc90 - Command Channel Library used by BIND
 libisccfg-export90 - Exported ISC CFG Shared Library
 libisccfg-export90-udeb - Exported ISC CFG library for debian-installer (udeb)
 libisccfg90 - Config File Handling Library used by BIND
 liblwres90 - Lightweight Resolver Library used by BIND
 lwresd     - Lightweight Resolver Daemon
Changes:
 bind9 (1:9.9.5.dfsg-9+deb8u11) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Dns64 with "break-dnssec yes;" can result in a assertion failure.
     (CVE-2017-3136) (Closes: #860224)
   * Prerequisite for CVE-2017-3137 cherry-picked from upstream change #4190.
     If not cherry-picking this change the fix for CVE-2017-3137 can cause an
     assertion failure to appear in name.c.
   * Some chaining (CNAME or DNAME) responses to upstream queries could trigger
     assertion failures (CVE-2017-3137) (Closes: #860225)
   * Reimplement: Some chaining (CNAME or DNAME) responses to upstream queries
     could trigger assertion failures. (CVE-2017-3137)
   * Fix regression introduced when handling CNAME to referral below the
     current domain
   * 'rndc ""' could trigger a assertion failure in named. (CVE-2017-3138)
     (Closes: #860226)
Checksums-Sha1: 
 f2d1670569683e593fda739666c147329f5bd654 3620 bind9_9.9.5.dfsg-9+deb8u11.dsc
 32677c500c750f041d5995b9083eee68d90efbf1 128840 bind9_9.9.5.dfsg-9+deb8u11.diff.gz
 214a0dcba51e0fe40635299abf710dd099218a82 339460 bind9-doc_9.9.5.dfsg-9+deb8u11_all.deb
 1400ac71c2c64cd2d778db3ff321d122aff7fe70 23892 host_9.9.5.dfsg-9+deb8u11_all.deb
Checksums-Sha256: 
 e00753c33208893e0862372f22b3aeb8a052b3e5aa7396b2e7faed57b24c2f4b 3620 bind9_9.9.5.dfsg-9+deb8u11.dsc
 cfa5fe637c27784bf9fb9a48e2fd0432248a76c0c9f8ce3da5b589dec5b45b81 128840 bind9_9.9.5.dfsg-9+deb8u11.diff.gz
 2dcb870cfe718ebe3b04a12b372ffb3b6fc207d1c628e83e10707531a55a7f38 339460 bind9-doc_9.9.5.dfsg-9+deb8u11_all.deb
 a1965b7ec3429278b9cf5ff7e934a5a062c13aa1eab97138cf3c7dea57074fd2 23892 host_9.9.5.dfsg-9+deb8u11_all.deb
Files: 
 c1362de32d5501fff5eedf10636f4c57 3620 net optional bind9_9.9.5.dfsg-9+deb8u11.dsc
 31d0ce9a68b9f001039b0412ca013645 128840 net optional bind9_9.9.5.dfsg-9+deb8u11.diff.gz
 3f1ad3b3c06ffcfb724ea8d482a74a30 339460 doc optional bind9-doc_9.9.5.dfsg-9+deb8u11_all.deb
 da9567cf85ffe780c7fd950233751de5 23892 net standard host_9.9.5.dfsg-9+deb8u11_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlkUCflfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EBvIQAJ1KN1yhzJUgmoEXscgfLTJjBw7bErLi
ixL2HWCHoP9Hs98JwfXKKRm7yYtYbfxnLZ7zXaNo9VALrDaZj22dwamxMRQQbh4Z
R96k7hGDCjLGKvccmCTTkv5NXLo/binqKC6UbOcZllhNK/KQssZLZ6yi8o0CccVr
t+A5Z2jkSAFuQHKmychgHmuoVBTzlW3nk8M0WytjCG9mLvzBN+MOImWBu7weJtJB
AgvwASkGI9mwIMo/AWDljZliwb6xOvqANjDoLYuswWYp1Ugf6F5OrSGqrHyhCT5w
haP6s9LSSzImWBBBAtQ+lfqbABu1kVNlDBXySaDEXkQ0vL0AUGFA5PbtHhB14mzp
/hIevKh4vYc60eLBwmA068oIJ8PjsSsDqj1vDmCOqe7wzVO6mrFL91vYpG4Ea/ab
iRmKPrEVuNkvKCYLhglMFrxnpZMKRHPnbrEGXts51V0pf1t/bjsxInttVw57vFDT
+BDKpH+yUjkHfFlcoyv4zqegL1zPrnMbSTYz0DfsZKpvlN9zw1qFbBEqWFhY1mYO
t4gDmAscb/TUFRaI/iUe14njX0pImIdB1J0s6DMxJyoNouhaXoAMVg3KPSRdmu0W
lpbhJjbs2f38TtfmUXghfQjJVjEPkTtbzUXtpfYc2/r5pD7T+UGaHYMO4jofgmaH
6cjt08XlDAg5
=/vrq
-----END PGP SIGNATURE-----

Message #87 received at 860225@bugs.debian.org (full text, mbox, reply):

From: agrihobby@agrihobby.com

To: 860225@bugs.debian.org

Subject: Notification status of your delivery (UPS 09776681)

Date: Tue, 25 Jul 2017 07:18:20 +0200

[Message part 1 (text/plain, inline)]

Dear Customer,

UPS courier was unable to contact you for your parcel delivery.

You can download the shipment label attached!

Thank you for your assistance in this matter,
 ,
UPS Mail Delivery Manager.

[UPS-Parcel-ID-09776681.zip (application/zip, attachment)]

Message #92 received at 860225@bugs.debian.org (full text, mbox, reply):

From: Ondrej Zary <linux@rainbow-software.org>

To: Debian Bug Tracking System <860225@bugs.debian.org>

Subject: bind9: Wheezy hit by CVE-2017-3139

Date: Sat, 02 Sep 2017 11:38:42 +0200

Package: bind9
Version: 1:9.8.4.dfsg.P1-6+nmu2+deb7u18
Followup-For: Bug #860225

Dear Maintainer,
looks like I've just been hit by CVE-2017-3139 on Debian Wheezy.
Seems it's not limited to RedHat:

Aug 31 17:03:24 r210 named[29899]: validator.c:1858: INSIST(rdataset->type
== ((dns_rdatatype_t)dns_rdatatype_dnskey)) failed, back trace
Aug 31 17:03:24 r210 named[29899]: #0 0x7f0b982b8e19 in ??
Aug 31 17:03:24 r210 named[29899]: #1 0x7f0b96bf5f3a in ??
Aug 31 17:03:24 r210 named[29899]: #2 0x7f0b97bb4e57 in ??
Aug 31 17:03:24 r210 named[29899]: #3 0x7f0b97bbb599 in ??
Aug 31 17:03:24 r210 named[29899]: #4 0x7f0b96c14dfd in ??
Aug 31 17:03:24 r210 named[29899]: #5 0x7f0b965c8b50 in ??
Aug 31 17:03:24 r210 named[29899]: #6 0x7f0b95fb2fbd in ??
Aug 31 17:03:24 r210 named[29899]: exiting (due to assertion failure)


-- System Information:
Debian Release: 7.11
  APT prefers oldoldstable-updates
  APT policy: (500, 'oldoldstable-updates'), (500, 'oldoldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=sk_SK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bind9 depends on:
ii  adduser                3.113+nmu3
ii  bind9utils             1:9.8.4.dfsg.P1-6+nmu2+deb7u18
ii  debconf [debconf-2.0]  1.5.49
ii  libbind9-80            1:9.8.4.dfsg.P1-6+nmu2+deb7u18
ii  libc6                  2.13-38+deb7u12
ii  libcap2                1:2.22-1.2
ii  libdns88               1:9.8.4.dfsg.P1-6+nmu2+deb7u18
ii  libgssapi-krb5-2       1.10.1+dfsg-5+deb7u8
ii  libisc84               1:9.8.4.dfsg.P1-6+nmu2+deb7u18
ii  libisccc80             1:9.8.4.dfsg.P1-6+nmu2+deb7u18
ii  libisccfg82            1:9.8.4.dfsg.P1-6+nmu2+deb7u18
ii  liblwres80             1:9.8.4.dfsg.P1-6+nmu2+deb7u18
ii  libssl1.0.0            1.0.1t-1+deb7u2
ii  libxml2                2.8.0+dfsg1-7+wheezy9
ii  lsb-base               4.1+Debian8+deb7u1
ii  net-tools              1.60-24.2
ii  netbase                5.0

bind9 recommends no packages.

Versions of packages bind9 suggests:
ii  bind9-doc   1:9.8.4.dfsg.P1-6+nmu2+deb7u18
ii  dnsutils    1:9.8.4.dfsg.P1-6+nmu2+deb7u18
pn  resolvconf  <none>
pn  ufw         <none>

-- Configuration Files:
/etc/bind/named.conf.local changed [not included]

-- debconf information excluded

Message #97 received at 860225@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>

To: 860225@bugs.debian.org

Subject: Re: bind9: CVE-2017-3137: A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME

Date: Mon, 23 Oct 2017 13:11:08 +0200

[Message part 1 (text/plain, inline)]

Control: fixed -1 bind9/1:9.10.6+dfsg-1

Fixed upstream

	--- 9.10.5rc2 released ---

4578.	[security]	Some chaining (CNAME or DNAME) responses to
			upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.