Regression in CVE-2017-3142

Bug #1717981 reported by Marc Deslauriers on 2017-09-18
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
bind9 (Debian)
Fix Released
Unknown
bind9 (Ubuntu)
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Zesty
High
Unassigned
Artful
High
Unassigned

Bug Description

The CVE-2017-3142 patch included in USN-3346-1 contained a regression.

See:
https://lists.isc.org/pipermail/bind-announce/2017-July/001054.html

CVE References

Changed in bind9 (Ubuntu Artful):
status: New → Fix Committed
Changed in bind9 (Debian):
status: Unknown → Fix Released
Mathew Hodson (mathew-hodson) wrote :
Changed in bind9 (Ubuntu Trusty):
importance: Undecided → High
Changed in bind9 (Ubuntu Xenial):
importance: Undecided → High
Changed in bind9 (Ubuntu Zesty):
importance: Undecided → High
Changed in bind9 (Ubuntu Artful):
importance: Undecided → High
Andreas Hasenack (ahasenack) wrote :

I believe the fix for this was released already, unless there were multiple CVE-2017-3142 regressions:

xenial:
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.8) xenial-security; urgency=medium

  * SECURITY REGRESSION: regression in last security update
    - debian/patches/CVE-2017-3142-regression.patch: fix verification of
      TSIG signed TCP message sequences where not all the messages contain
      TSIG records in lib/dns/tsig.c, aded test to
      lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.

trusty:
bind9 (1:9.9.5.dfsg-3ubuntu0.16) trusty-security; urgency=medium

  * SECURITY REGRESSION: regression in last security update
    - fix verification of TSIG signed TCP message sequences where not all
      the messages contain TSIG records in lib/dns/tsig.c, aded test to
      lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
    - 6fcdcabc11f18eb128167f7f7eca4a244bf75c52
  * Update the built in managed keys to include the upcoming root KSK in
    bind.keys, bin/named/bind.keys.h.
    - 9543825c155c5c5ec42cc4d95fe6f0d52ef9b0a7

 -- Marc Deslauriers <email address hidden> Fri, 15 Sep 2017 07:53:57 -0400

bind9 (1:9.9.5.dfsg-3ubuntu0.15) trusty-security; urgency=medium

  * SECURITY UPDATE: TSIG authentication issues
    - lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c: fix TSIG logic.
    - CVE-2017-3142
    - CVE-2017-3143

zesty:
bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5.2) zesty-security; urgency=medium

  * SECURITY REGRESSION: regression in last security update
    - debian/patches/CVE-2017-3142-regression.patch: fix verification of
      TSIG signed TCP message sequences where not all the messages contain
      TSIG records in lib/dns/tsig.c, aded test to
      lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
  * debian/patches/update_keys.patch: Update the built in managed keys to
    include the upcoming root KSK in bind.keys, bind.keys.h.

artful (via debian merge):
bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium

  * Non-maintainer upload.
  * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
    signed TCP message sequences where not all the messages contain TSIG
    records. These may be used in AXFR and IXFR responses.
    (Closes: #868952)

 -- Salvatore Bonaccorso <email address hidden> Fri, 21 Jul 2017 22:28:32 +0200

This bug was not mentioned in d/changelog and therefore not auto closed. Can someone from the security team confirm please?

Marc Deslauriers (mdeslaur) wrote :

Oh, yeah, that's the same regression. Sorry, I forgot I had opened this bug. Closing now. Thanks!

Changed in bind9 (Ubuntu Trusty):
status: New → Fix Released
Changed in bind9 (Ubuntu Xenial):
status: New → Fix Released
Changed in bind9 (Ubuntu Zesty):
status: New → Fix Released
Changed in bind9 (Ubuntu Artful):
status: Fix Committed → Fix Released
Changed in bind9 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.