Bug #1717981 “Regression in CVE-2017-3142” : Bugs : bind9 package : Ubuntu

Marc Deslauriers (mdeslaur) on 2017-09-18

Changed in bind9 (Ubuntu Artful):
status:	New → Fix Committed

Bug Watch Updater (bug-watch-updater) on 2017-09-18

Changed in bind9 (Debian):
status:	Unknown → Fix Released

Revision history for this message

Mathew Hodson (mhodson) wrote on 2017-09-21:

#1

https://usn.ubuntu.com/usn/usn-3346-2/

Changed in bind9 (Ubuntu Trusty):
importance:	Undecided → High
Changed in bind9 (Ubuntu Xenial):
importance:	Undecided → High
Changed in bind9 (Ubuntu Zesty):
importance:	Undecided → High
Changed in bind9 (Ubuntu Artful):
importance:	Undecided → High

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2017-12-14:

#2

I believe the fix for this was released already, unless there were multiple CVE-2017-3142 regressions:

xenial:
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.8) xenial-security; urgency=medium

  * SECURITY REGRESSION: regression in last security update
    - debian/patches/CVE-2017-3142-regression.patch: fix verification of
      TSIG signed TCP message sequences where not all the messages contain
      TSIG records in lib/dns/tsig.c, aded test to
      lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.

trusty:
bind9 (1:9.9.5.dfsg-3ubuntu0.16) trusty-security; urgency=medium

  * SECURITY REGRESSION: regression in last security update
    - fix verification of TSIG signed TCP message sequences where not all
      the messages contain TSIG records in lib/dns/tsig.c, aded test to
      lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
    - 6fcdcabc11f18eb128167f7f7eca4a244bf75c52
  * Update the built in managed keys to include the upcoming root KSK in
    bind.keys, bin/named/bind.keys.h.
    - 9543825c155c5c5ec42cc4d95fe6f0d52ef9b0a7

-- Marc Deslauriers <email address hidden> Fri, 15 Sep 2017 07:53:57 -0400

bind9 (1:9.9.5.dfsg-3ubuntu0.15) trusty-security; urgency=medium

  * SECURITY UPDATE: TSIG authentication issues
    - lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c: fix TSIG logic.
    - CVE-2017-3142
    - CVE-2017-3143

zesty:
bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5.2) zesty-security; urgency=medium

  * SECURITY REGRESSION: regression in last security update
    - debian/patches/CVE-2017-3142-regression.patch: fix verification of
      TSIG signed TCP message sequences where not all the messages contain
      TSIG records in lib/dns/tsig.c, aded test to
      lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
  * debian/patches/update_keys.patch: Update the built in managed keys to
    include the upcoming root KSK in bind.keys, bind.keys.h.

artful (via debian merge):
bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium

  * Non-maintainer upload.
  * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
    signed TCP message sequences where not all the messages contain TSIG
    records. These may be used in AXFR and IXFR responses.
    (Closes: #868952)

-- Salvatore Bonaccorso <email address hidden> Fri, 21 Jul 2017 22:28:32 +0200

This bug was not mentioned in d/changelog and therefore not auto closed. Can someone from the security team confirm please?

I believe the fix for this was released already, unless there were multiple CVE-2017-3142 regressions:

xenial:
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.8) xenial-security; urgency=medium

* SECURITY REGRESSION: regression in last security update
    - debian/patches/CVE-2017-3142-regression.patch: fix verification of
      TSIG signed TCP message sequences where not all the messages contain
      TSIG records in lib/dns/tsig.c, aded test to
      lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.

trusty:
bind9 (1:9.9.5.dfsg-3ubuntu0.16) trusty-security; urgency=medium

* SECURITY REGRESSION: regression in last security update
    - fix verification of TSIG signed TCP message sequences where not all
      the messages contain TSIG records in lib/dns/tsig.c, aded test to
      lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
    - 6fcdcabc11f18eb128167f7f7eca4a244bf75c52
  * Update the built in managed keys to include the upcoming root KSK in
    bind.keys, bin/named/bind.keys.h.
    - 9543825c155c5c5ec42cc4d95fe6f0d52ef9b0a7

-- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 15 Sep 2017 07:53:57 -0400

bind9 (1:9.9.5.dfsg-3ubuntu0.15) trusty-security; urgency=medium

* SECURITY UPDATE: TSIG authentication issues
    - lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c: fix TSIG logic.
    - CVE-2017-3142
    - CVE-2017-3143

zesty:
bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5.2) zesty-security; urgency=medium

* SECURITY REGRESSION: regression in last security update
    - debian/patches/CVE-2017-3142-regression.patch: fix verification of
      TSIG signed TCP message sequences where not all the messages contain
      TSIG records in lib/dns/tsig.c, aded test to
      lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
  * debian/patches/update_keys.patch: Update the built in managed keys to
    include the upcoming root KSK in bind.keys, bind.keys.h.

artful (via debian merge):
bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium

* Non-maintainer upload.
  * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
    signed TCP message sequences where not all the messages contain TSIG
    records. These may be used in AXFR and IXFR responses.
    (Closes: #868952)

-- Salvatore Bonaccorso <carnil@debian.org>  Fri, 21 Jul 2017 22:28:32 +0200

This bug was not mentioned in d/changelog and therefore not auto closed. Can someone from the security team confirm please?

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2017-12-14:

#3

Oh, yeah, that's the same regression. Sorry, I forgot I had opened this bug. Closing now. Thanks!

Changed in bind9 (Ubuntu Trusty):
status:	New → Fix Released
Changed in bind9 (Ubuntu Xenial):
status:	New → Fix Released
Changed in bind9 (Ubuntu Zesty):
status:	New → Fix Released
Changed in bind9 (Ubuntu Artful):
status:	Fix Committed → Fix Released
Changed in bind9 (Ubuntu):
status:	Fix Committed → Fix Released

Ubuntu
bind9 package

Regression in CVE-2017-3142

Bug Description

CVE References

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
bind9 (Debian)	Fix Released	Unknown	debbugs #868952
bind9 (Ubuntu)	Fix Released	High	Unassigned
Trusty	Fix Released	High	Unassigned
Xenial	Fix Released	High	Unassigned
Zesty	Fix Released	High	Unassigned
Artful	Fix Released	High	Unassigned

Ubuntubind9 package

Regression in CVE-2017-3142

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
bind9 package