* SECURITY REGRESSION: regression in last security update
- debian/patches/CVE-2017-3142-regression.patch: fix verification of
TSIG signed TCP message sequences where not all the messages contain
TSIG records in lib/dns/tsig.c, aded test to
lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
* SECURITY REGRESSION: regression in last security update
- fix verification of TSIG signed TCP message sequences where not all
the messages contain TSIG records in lib/dns/tsig.c, aded test to
lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
- 6fcdcabc11f18eb128167f7f7eca4a244bf75c52
* Update the built in managed keys to include the upcoming root KSK in
bind.keys, bin/named/bind.keys.h.
- 9543825c155c5c5ec42cc4d95fe6f0d52ef9b0a7
* SECURITY REGRESSION: regression in last security update
- debian/patches/CVE-2017-3142-regression.patch: fix verification of
TSIG signed TCP message sequences where not all the messages contain
TSIG records in lib/dns/tsig.c, aded test to
lib/dns/tests/Makefile.in, lib/dns/tests/tsig_test.c.
* debian/patches/update_keys.patch: Update the built in managed keys to
include the upcoming root KSK in bind.keys, bind.keys.h.
* Non-maintainer upload.
* Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
signed TCP message sequences where not all the messages contain TSIG
records. These may be used in AXFR and IXFR responses.
(Closes: #868952)
I believe the fix for this was released already, unless there were multiple CVE-2017-3142 regressions:
xenial: 3.dfsg. P4-8ubuntu1. 8) xenial-security; urgency=medium
bind9 (1:9.10.
* SECURITY REGRESSION: regression in last security update patches/ CVE-2017- 3142-regression .patch: fix verification of dns/tests/ Makefile. in, lib/dns/ tests/tsig_ test.c.
- debian/
TSIG signed TCP message sequences where not all the messages contain
TSIG records in lib/dns/tsig.c, aded test to
lib/
trusty: 5.dfsg- 3ubuntu0. 16) trusty-security; urgency=medium
bind9 (1:9.9.
* SECURITY REGRESSION: regression in last security update dns/tests/ Makefile. in, lib/dns/ tests/tsig_ test.c. 128167f7f7eca4a 244bf75c52 bind.keys. h. ec42cc4d95fe6f0 d52ef9b0a7
- fix verification of TSIG signed TCP message sequences where not all
the messages contain TSIG records in lib/dns/tsig.c, aded test to
lib/
- 6fcdcabc11f18eb
* Update the built in managed keys to include the upcoming root KSK in
bind.keys, bin/named/
- 9543825c155c5c5
-- Marc Deslauriers <email address hidden> Fri, 15 Sep 2017 07:53:57 -0400
bind9 (1:9.9. 5.dfsg- 3ubuntu0. 15) trusty-security; urgency=medium
* SECURITY UPDATE: TSIG authentication issues
- lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c: fix TSIG logic.
- CVE-2017-3142
- CVE-2017-3143
zesty: 3.dfsg. P4-10.1ubuntu5. 2) zesty-security; urgency=medium
bind9 (1:9.10.
* SECURITY REGRESSION: regression in last security update patches/ CVE-2017- 3142-regression .patch: fix verification of dns/tests/ Makefile. in, lib/dns/ tests/tsig_ test.c. patches/ update_ keys.patch: Update the built in managed keys to
- debian/
TSIG signed TCP message sequences where not all the messages contain
TSIG records in lib/dns/tsig.c, aded test to
lib/
* debian/
include the upcoming root KSK in bind.keys, bind.keys.h.
artful (via debian merge): 3.dfsg. P4-12.5) unstable; urgency=medium
bind9 (1:9.10.
* Non-maintainer upload.
* Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
signed TCP message sequences where not all the messages contain TSIG
records. These may be used in AXFR and IXFR responses.
(Closes: #868952)
-- Salvatore Bonaccorso <email address hidden> Fri, 21 Jul 2017 22:28:32 +0200
This bug was not mentioned in d/changelog and therefore not auto closed. Can someone from the security team confirm please?