[Bug 1717981] Re: Regression in CVE-2017-3142

Andreas Hasenack andreas at canonical.com
Thu Dec 14 21:18:52 UTC 2017 

I believe the fix for this was released already, unless there were
multiple CVE-2017-3142 regressions:

xenial:
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.8) xenial-security; urgency=medium

  * SECURITY REGRESSION: regression in last security update
    - debian/patches/CVE-2017-3142-regression.patch: fix verification of
      TSIG signed TCP message sequences where not all the messages contain
      TSIG records in lib/dns/tsig.c, aded test to
      lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.

trusty:
bind9 (1:9.9.5.dfsg-3ubuntu0.16) trusty-security; urgency=medium

  * SECURITY REGRESSION: regression in last security update
    - fix verification of TSIG signed TCP message sequences where not all
      the messages contain TSIG records in lib/dns/tsig.c, aded test to
      lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
    - 6fcdcabc11f18eb128167f7f7eca4a244bf75c52
  * Update the built in managed keys to include the upcoming root KSK in
    bind.keys, bin/named/bind.keys.h.
    - 9543825c155c5c5ec42cc4d95fe6f0d52ef9b0a7

 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Fri, 15 Sep 2017
07:53:57 -0400

bind9 (1:9.9.5.dfsg-3ubuntu0.15) trusty-security; urgency=medium

  * SECURITY UPDATE: TSIG authentication issues
    - lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c: fix TSIG logic.
    - CVE-2017-3142
    - CVE-2017-3143


zesty:
bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5.2) zesty-security; urgency=medium

  * SECURITY REGRESSION: regression in last security update
    - debian/patches/CVE-2017-3142-regression.patch: fix verification of
      TSIG signed TCP message sequences where not all the messages contain
      TSIG records in lib/dns/tsig.c, aded test to
      lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
  * debian/patches/update_keys.patch: Update the built in managed keys to
    include the upcoming root KSK in bind.keys, bind.keys.h.


artful (via debian merge):
bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium

  * Non-maintainer upload.
  * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
    signed TCP message sequences where not all the messages contain TSIG
    records. These may be used in AXFR and IXFR responses.
    (Closes: #868952)

 -- Salvatore Bonaccorso <carnil at debian.org>  Fri, 21 Jul 2017 22:28:32
+0200


This bug was not mentioned in d/changelog and therefore not auto closed.
Can someone from the security team confirm please?

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3142

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3143

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to bind9 in Ubuntu.
https://bugs.launchpad.net/bugs/1717981

Title:
  Regression in CVE-2017-3142

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1717981/+subscriptions

More information about the Ubuntu-server-bugs mailing list