[Bug 1717981] Re: Regression in CVE-2017-3142
Andreas Hasenack
andreas at canonical.com
Thu Dec 14 21:18:52 UTC 2017
I believe the fix for this was released already, unless there were
multiple CVE-2017-3142 regressions:
xenial:
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.8) xenial-security; urgency=medium
* SECURITY REGRESSION: regression in last security update
- debian/patches/CVE-2017-3142-regression.patch: fix verification of
TSIG signed TCP message sequences where not all the messages contain
TSIG records in lib/dns/tsig.c, aded test to
lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
trusty:
bind9 (1:9.9.5.dfsg-3ubuntu0.16) trusty-security; urgency=medium
* SECURITY REGRESSION: regression in last security update
- fix verification of TSIG signed TCP message sequences where not all
the messages contain TSIG records in lib/dns/tsig.c, aded test to
lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
- 6fcdcabc11f18eb128167f7f7eca4a244bf75c52
* Update the built in managed keys to include the upcoming root KSK in
bind.keys, bin/named/bind.keys.h.
- 9543825c155c5c5ec42cc4d95fe6f0d52ef9b0a7
-- Marc Deslauriers <marc.deslauriers at ubuntu.com> Fri, 15 Sep 2017
07:53:57 -0400
bind9 (1:9.9.5.dfsg-3ubuntu0.15) trusty-security; urgency=medium
* SECURITY UPDATE: TSIG authentication issues
- lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c: fix TSIG logic.
- CVE-2017-3142
- CVE-2017-3143
zesty:
bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5.2) zesty-security; urgency=medium
* SECURITY REGRESSION: regression in last security update
- debian/patches/CVE-2017-3142-regression.patch: fix verification of
TSIG signed TCP message sequences where not all the messages contain
TSIG records in lib/dns/tsig.c, aded test to
lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
* debian/patches/update_keys.patch: Update the built in managed keys to
include the upcoming root KSK in bind.keys, bind.keys.h.
artful (via debian merge):
bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
* Non-maintainer upload.
* Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
signed TCP message sequences where not all the messages contain TSIG
records. These may be used in AXFR and IXFR responses.
(Closes: #868952)
-- Salvatore Bonaccorso <carnil at debian.org> Fri, 21 Jul 2017 22:28:32
+0200
This bug was not mentioned in d/changelog and therefore not auto closed.
Can someone from the security team confirm please?
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3142
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3143
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to bind9 in Ubuntu.
https://bugs.launchpad.net/bugs/1717981
Title:
Regression in CVE-2017-3142
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1717981/+subscriptions
More information about the Ubuntu-server-bugs
mailing list