--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi Release Team
Please unblock package bind9
Michael Gilbert uploaded bind9/1:9.8.4.dfsg.P1-6+nmu1 with fixes for
two CVEs:
bind9 (1:9.8.4.dfsg.P1-6+nmu1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix cve-2012-5689: issue in nameservers using DNS64 to perform a AAAA
lookup for a record with an A record overwrite rule in a Response Policy
Zone (closes: #699145).
* Fix cve-2013-2266: issues in regular expression handling (closes: #704174).
could these changes be unblocked for wheezy? Attached is the produced
debdiff against current version in testing.
unblock bind9/1:9.8.4.dfsg.P1-6+nmu1
Thanks in advance and regards,
Salvatore
Base version: bind9_1:9.8.4.dfsg.P1-6 from testing
Target version: bind9_1:9.8.4.dfsg.P1-6+nmu1 from unstable
No hints in place.
Excuses:
bind9 (1:9.8.4.dfsg.P1-6 to 1:9.8.4.dfsg.P1-6+nmu1)
Maintainer: LaMont Jones
Too young, only 0 of 2 days old
Not touching package due to block request by freeze (contact debian-release if update is needed)
Updating bind9 fixes old bugs: #704174
Not considered
bin/named/query.c | 28 ++++++++++++++++++++++++++++
config.h.in | 3 ---
configure | 2 +-
configure.in | 2 +-
debian/changelog | 10 ++++++++++
5 files changed, 40 insertions(+), 5 deletions(-)
diff -u bind9-9.8.4.dfsg.P1/configure.in bind9-9.8.4.dfsg.P1/configure.in
--- bind9-9.8.4.dfsg.P1/configure.in
+++ bind9-9.8.4.dfsg.P1/configure.in
@@ -298,7 +298,7 @@
AC_HEADER_STDC
-AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
+AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
[$ac_includes_default
#ifdef HAVE_SYS_PARAM_H
# include <sys/param.h>
diff -u bind9-9.8.4.dfsg.P1/config.h.in bind9-9.8.4.dfsg.P1/config.h.in
--- bind9-9.8.4.dfsg.P1/config.h.in
+++ bind9-9.8.4.dfsg.P1/config.h.in
@@ -289,9 +289,6 @@
/* Define if your OpenSSL version supports GOST. */
#undef HAVE_OPENSSL_GOST
-/* Define to 1 if you have the <regex.h> header file. */
-#undef HAVE_REGEX_H
-
/* Define to 1 if you have the `setegid' function. */
#undef HAVE_SETEGID
diff -u bind9-9.8.4.dfsg.P1/configure bind9-9.8.4.dfsg.P1/configure
--- bind9-9.8.4.dfsg.P1/configure
+++ bind9-9.8.4.dfsg.P1/configure
@@ -12862,7 +12862,7 @@
fi
-for ac_header in fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h
+for ac_header in fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h
do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
diff -u bind9-9.8.4.dfsg.P1/bin/named/query.c bind9-9.8.4.dfsg.P1/bin/named/query.c
--- bind9-9.8.4.dfsg.P1/bin/named/query.c
+++ bind9-9.8.4.dfsg.P1/bin/named/query.c
@@ -6136,6 +6136,7 @@
client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
DNS_MESSAGEFLAG_AD);
query_putrdataset(client, &sigrdataset);
+ rpz_st->q.is_zone = is_zone;
is_zone = ISC_TRUE;
rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
rpz_st->m.type, zone, rpz_st->p_name);
@@ -6513,6 +6514,15 @@
rdataset = NULL;
sigrdataset = NULL;
type = qtype = dns_rdatatype_a;
+ rpz_st = client->query.rpz_st;
+ if (rpz_st != NULL) {
+ /*
+ * Arrange for RPZ rewriting of any A records.
+ */
+ if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+ is_zone = rpz_st->q.is_zone;
+ rpz_st_clear(client);
+ }
dns64 = ISC_TRUE;
goto db_find;
}
@@ -6771,6 +6781,15 @@
sigrdataset = NULL;
fname = NULL;
type = qtype = dns_rdatatype_a;
+ rpz_st = client->query.rpz_st;
+ if (rpz_st != NULL) {
+ /*
+ * Arrange for RPZ rewriting of any A records.
+ */
+ if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+ is_zone = rpz_st->q.is_zone;
+ rpz_st_clear(client);
+ }
dns64 = ISC_TRUE;
goto db_find;
}
@@ -7271,6 +7290,15 @@
rdataset = NULL;
sigrdataset = NULL;
type = qtype = dns_rdatatype_a;
+ rpz_st = client->query.rpz_st;
+ if (rpz_st != NULL) {
+ /*
+ * Arrange for RPZ rewriting of any A records.
+ */
+ if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
+ is_zone = rpz_st->q.is_zone;
+ rpz_st_clear(client);
+ }
dns64_exclude = dns64 = ISC_TRUE;
goto db_find;
}
diff -u bind9-9.8.4.dfsg.P1/debian/changelog bind9-9.8.4.dfsg.P1/debian/changelog
--- bind9-9.8.4.dfsg.P1/debian/changelog
+++ bind9-9.8.4.dfsg.P1/debian/changelog
@@ -1,3 +1,13 @@
+bind9 (1:9.8.4.dfsg.P1-6+nmu1) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix cve-2012-5689: issue in nameservers using DNS64 to perform a AAAA
+ lookup for a record with an A record overwrite rule in a Response Policy
+ Zone (closes: #699145).
+ * Fix cve-2013-2266: issues in regular expression handling (closes: #704174).
+
+ -- Michael Gilbert <mgilbert@debian.org> Fri, 29 Mar 2013 00:47:25 +0000
+
bind9 (1:9.8.4.dfsg.P1-6) unstable; urgency=low
[Ben Hutchings]
--- End Message ---
--- Begin Message ---
On 29.03.2013 20:38, Michael Gilbert wrote:
On Fri, Mar 29, 2013 at 4:08 PM, Adam D. Barratt wrote:
On 29.03.2013 15:01, Salvatore Bonaccorso wrote:
* Fix cve-2012-5689: issue in nameservers using DNS64 to
perform a AAAA
lookup for a record with an A record overwrite rule in a
Response Policy
Zone (closes: #699145).
fwiw, this issue isn't marked as RC currently. The bug log notes
that there wasn't a production quality patch available and instead
the plan was to document how to avoid the issue, which Moritz seemed
happy with. What changed?
A production-ready patch.
Then that should have been communicated in the bug report, so that
everyone was aware of what was going on. Having a solution agreed on
(including by a member of the security team) in the public discussion
and then an alternative solution being implemented with no further
comment is confusing at best.
* Fix cve-2013-2266: issues in regular expression handling
(closes: #704174).
and that one appears to have been NMUed around four hours after it
was filed, which I'm not overjoyed about.
You're aware that this is easily exploited in the wild already?
Is being, or can be? Yes, I've read the articles linked from the bug
report; in fact I was aware of the issue before I saw the bug report.
Either way, that doesn't automatically mean you shouldn't give the
maintainer chance to comment or upload or whatever.
In any case, unblocked.
Regards,
Adam
--- End Message ---