Ubuntu
bind9 package

  1. Bug #1717981
  2. Comment #2

Comment 2 for bug 1717981

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I believe the fix for this was released already, unless there were multiple CVE-2017-3142 regressions:

xenial:
bind9 (1:9.10.3.dfsg.P4-8ubuntu1.8) xenial-security; urgency=medium

  * SECURITY REGRESSION: regression in last security update
    - debian/patches/CVE-2017-3142-regression.patch: fix verification of
      TSIG signed TCP message sequences where not all the messages contain
      TSIG records in lib/dns/tsig.c, aded test to
      lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.

trusty:
bind9 (1:9.9.5.dfsg-3ubuntu0.16) trusty-security; urgency=medium

  * SECURITY REGRESSION: regression in last security update
    - fix verification of TSIG signed TCP message sequences where not all
      the messages contain TSIG records in lib/dns/tsig.c, aded test to
      lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
    - 6fcdcabc11f18eb128167f7f7eca4a244bf75c52
  * Update the built in managed keys to include the upcoming root KSK in
    bind.keys, bin/named/bind.keys.h.
    - 9543825c155c5c5ec42cc4d95fe6f0d52ef9b0a7

 -- Marc Deslauriers <email address hidden> Fri, 15 Sep 2017 07:53:57 -0400

bind9 (1:9.9.5.dfsg-3ubuntu0.15) trusty-security; urgency=medium

  * SECURITY UPDATE: TSIG authentication issues
    - lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c: fix TSIG logic.
    - CVE-2017-3142
    - CVE-2017-3143

zesty:
bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5.2) zesty-security; urgency=medium

  * SECURITY REGRESSION: regression in last security update
    - debian/patches/CVE-2017-3142-regression.patch: fix verification of
      TSIG signed TCP message sequences where not all the messages contain
      TSIG records in lib/dns/tsig.c, aded test to
      lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
  * debian/patches/update_keys.patch: Update the built in managed keys to
    include the upcoming root KSK in bind.keys, bind.keys.h.

artful (via debian merge):
bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium

  * Non-maintainer upload.
  * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
    signed TCP message sequences where not all the messages contain TSIG
    records. These may be used in AXFR and IXFR responses.
    (Closes: #868952)

 -- Salvatore Bonaccorso <email address hidden> Fri, 21 Jul 2017 22:28:32 +0200

This bug was not mentioned in d/changelog and therefore not auto closed. Can someone from the security team confirm please?