[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#704218: marked as done (unblock: bind9/1:9.8.4.dfsg.P1-6+nmu1)

Your message dated Fri, 29 Mar 2013 21:06:05 +0000
with message-id <801064e176e913c1aa7c284829953156@mail.adsl.funky-badger.org>
and subject line Re: Bug#704218: unblock: bind9/1:9.8.4.dfsg.P1-6+nmu1
has caused the Debian Bug report #704218,
regarding unblock: bind9/1:9.8.4.dfsg.P1-6+nmu1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
704218: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704218
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team

Please unblock package bind9

Michael Gilbert uploaded bind9/1:9.8.4.dfsg.P1-6+nmu1 with fixes for
two CVEs:

 bind9 (1:9.8.4.dfsg.P1-6+nmu1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix cve-2012-5689: issue in nameservers using DNS64 to perform a AAAA
     lookup for a record with an A record overwrite rule in a Response Policy
     Zone (closes: #699145).
   * Fix cve-2013-2266: issues in regular expression handling (closes: #704174).

could these changes be unblocked for wheezy? Attached is the produced
debdiff against  current version in testing.

unblock bind9/1:9.8.4.dfsg.P1-6+nmu1

Thanks in advance and regards,
Salvatore

Base version: bind9_1:9.8.4.dfsg.P1-6 from testing
Target version: bind9_1:9.8.4.dfsg.P1-6+nmu1 from unstable

No hints in place.

Excuses:

bind9 (1:9.8.4.dfsg.P1-6 to 1:9.8.4.dfsg.P1-6+nmu1)
    Maintainer: LaMont Jones 
    Too young, only 0 of 2 days old
    Not touching package due to block request by freeze (contact debian-release if update is needed)
    Updating bind9 fixes old bugs: #704174
    Not considered

 bin/named/query.c |   28 ++++++++++++++++++++++++++++
 config.h.in       |    3 ---
 configure         |    2 +-
 configure.in      |    2 +-
 debian/changelog  |   10 ++++++++++
 5 files changed, 40 insertions(+), 5 deletions(-)

diff -u bind9-9.8.4.dfsg.P1/configure.in bind9-9.8.4.dfsg.P1/configure.in
--- bind9-9.8.4.dfsg.P1/configure.in
+++ bind9-9.8.4.dfsg.P1/configure.in
@@ -298,7 +298,7 @@
 
 AC_HEADER_STDC
 
-AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
+AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
 [$ac_includes_default
 #ifdef HAVE_SYS_PARAM_H
 # include <sys/param.h>
diff -u bind9-9.8.4.dfsg.P1/config.h.in bind9-9.8.4.dfsg.P1/config.h.in
--- bind9-9.8.4.dfsg.P1/config.h.in
+++ bind9-9.8.4.dfsg.P1/config.h.in
@@ -289,9 +289,6 @@
 /* Define if your OpenSSL version supports GOST. */
 #undef HAVE_OPENSSL_GOST
 
-/* Define to 1 if you have the <regex.h> header file. */
-#undef HAVE_REGEX_H
-
 /* Define to 1 if you have the `setegid' function. */
 #undef HAVE_SETEGID
 
diff -u bind9-9.8.4.dfsg.P1/configure bind9-9.8.4.dfsg.P1/configure
--- bind9-9.8.4.dfsg.P1/configure
+++ bind9-9.8.4.dfsg.P1/configure
@@ -12862,7 +12862,7 @@
 fi
 
 
-for ac_header in fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h
+for ac_header in fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
diff -u bind9-9.8.4.dfsg.P1/bin/named/query.c bind9-9.8.4.dfsg.P1/bin/named/query.c
--- bind9-9.8.4.dfsg.P1/bin/named/query.c
+++ bind9-9.8.4.dfsg.P1/bin/named/query.c
@@ -6136,6 +6136,7 @@
 			client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
 						DNS_MESSAGEFLAG_AD);
 			query_putrdataset(client, &sigrdataset);
+			rpz_st->q.is_zone = is_zone;
 			is_zone = ISC_TRUE;
 			rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
 					rpz_st->m.type, zone, rpz_st->p_name);
@@ -6513,6 +6514,15 @@
 			rdataset = NULL;
 			sigrdataset = NULL;
 			type = qtype = dns_rdatatype_a;
+			rpz_st = client->query.rpz_st;
+			if (rpz_st != NULL) {
+				/*
+				 * Arrange for RPZ rewriting of any A records.
+				 */
+				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+					is_zone = rpz_st->q.is_zone;
+				rpz_st_clear(client);
+			}
 			dns64 = ISC_TRUE;
 			goto db_find;
 		}
@@ -6771,6 +6781,15 @@
 			sigrdataset = NULL;
 			fname = NULL;
 			type = qtype = dns_rdatatype_a;
+			rpz_st = client->query.rpz_st;
+			if (rpz_st != NULL) {
+				/*
+				 * Arrange for RPZ rewriting of any A records.
+				 */
+				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+					is_zone = rpz_st->q.is_zone;
+				rpz_st_clear(client);
+			}
 			dns64 = ISC_TRUE;
 			goto db_find;
 		}
@@ -7271,6 +7290,15 @@
 			rdataset = NULL;
 			sigrdataset = NULL;
 			type = qtype = dns_rdatatype_a;
+			rpz_st = client->query.rpz_st;
+			if (rpz_st != NULL) {
+				/*
+				 * Arrange for RPZ rewriting of any A records.
+				 */
+				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+					is_zone = rpz_st->q.is_zone;
+				rpz_st_clear(client);
+			}
 			dns64_exclude = dns64 = ISC_TRUE;
 			goto db_find;
 		}
diff -u bind9-9.8.4.dfsg.P1/debian/changelog bind9-9.8.4.dfsg.P1/debian/changelog
--- bind9-9.8.4.dfsg.P1/debian/changelog
+++ bind9-9.8.4.dfsg.P1/debian/changelog
@@ -1,3 +1,13 @@
+bind9 (1:9.8.4.dfsg.P1-6+nmu1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix cve-2012-5689: issue in nameservers using DNS64 to perform a AAAA
+    lookup for a record with an A record overwrite rule in a Response Policy
+    Zone (closes: #699145).
+  * Fix cve-2013-2266: issues in regular expression handling (closes: #704174).
+
+ -- Michael Gilbert <mgilbert@debian.org>  Fri, 29 Mar 2013 00:47:25 +0000
+
 bind9 (1:9.8.4.dfsg.P1-6) unstable; urgency=low
 
   [Ben Hutchings]

--- End Message ---
--- Begin Message --- 
On 29.03.2013 20:38, Michael Gilbert wrote:

On Fri, Mar 29, 2013 at 4:08 PM, Adam D. Barratt wrote:

On 29.03.2013 15:01, Salvatore Bonaccorso wrote:

   * Fix cve-2012-5689: issue in nameservers using DNS64 to
perform a AAAA
     lookup for a record with an A record overwrite rule in a
Response Policy
     Zone (closes: #699145).


fwiw, this issue isn't marked as RC currently. The bug log notes
that there wasn't a production quality patch available and instead
the plan was to document how to avoid the issue, which Moritz seemed
happy with. What changed?


A production-ready patch.
Then that should have been communicated in the bug report, so that everyone was aware of what was going on. Having a solution agreed on (including by a member of the security team) in the public discussion and then an alternative solution being implemented with no further comment is confusing at best. 


   * Fix cve-2013-2266: issues in regular expression handling
(closes: #704174).


and that one appears to have been NMUed around four hours after it
was filed, which I'm not overjoyed about.


You're aware that this is easily exploited in the wild already?
Is being, or can be? Yes, I've read the articles linked from the bug report; in fact I was aware of the issue before I saw the bug report. Either way, that doesn't automatically mean you shouldn't give the maintainer chance to comment or upload or whatever. 

In any case, unblocked.

Regards,

Adam

--- End Message ---
Reply to: