[Pkg-dns-devel] Bug#889285: Bug#889285: bind9: CVE-2017-3139 affects debian too: assertion failure in validator.c:1858
OndÅej Surý
ondrej at sury.org
Sat Feb 3 10:24:41 UTC 2018
Control: tags -1 +wheezy
You should probably contact the Debian LTS team as it affects wheezy that’s maintained by LTS Team.
Ondrej
--
Ondřej Surý <ondrej at sury.org>
> On 3 Feb 2018, at 11:12, Vladislav Kurz <vladislav.kurz at webstep.net> wrote:
>
> Package: bind9
> Version: 1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> Severity: grave
> Tags: security
> Justification: renders package unusable
>
> Dear Maintainer,
>
> This is a followup to archived bug #860225.
>
> Although
> https://security-tracker.debian.org/tracker/CVE-2017-3139 states that
> debian is not affected by CVE-2017-3139, I observed this behavior on
> debian wheezy:
>
> Feb 3 08:38:07 server named[16906]: validator.c:1858: INSIST(rdataset->type == ((dns_rdatatype_t)dns_rdatatype_dnskey)) failed, back trace
> Feb 3 08:38:07 server named[16906]: #0 0x7f9b66798e19 in ??
> Feb 3 08:38:07 server named[16906]: #1 0x7f9b650d5f3a in ??
> Feb 3 08:38:07 server named[16906]: #2 0x7f9b66094e57 in ??
> Feb 3 08:38:07 server named[16906]: #3 0x7f9b6609b599 in ??
> Feb 3 08:38:07 server named[16906]: #4 0x7f9b650f4dfd in ??
> Feb 3 08:38:07 server named[16906]: #5 0x7f9b64aa8b50 in ??
> Feb 3 08:38:07 server named[16906]: #6 0x7f9b64492fbd in ??
> Feb 3 08:38:07 server named[16906]: exiting (due to assertion failure)
>
> Ondrej Zary reported this on Sat, 02 Sep 2017 in bug #860225 but it
> was closed and archived without answer. May I ask why?
>
> I had a look in the relevant bug report at redhat, but they do not
> provide much details https://bugzilla.redhat.com/show_bug.cgi?id=1447743
> So I'm not 100% sure it is the same bug.
>
>
> *** Please consider answering these questions, where appropriate ***
>
> * What led up to the situation?
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
> * What was the outcome of this action?
> * What outcome did you expect instead?
>
> *** End of the template - remove these lines ***
>
>
> -- System Information:
> Debian Release: 7.11
> APT prefers oldoldstable
> APT policy: (500, 'oldoldstable')
> Architecture: i386 (i686)
>
> Kernel: Linux 3.2.0-5-686-pae (SMP w/1 CPU core)
> Locale: LANG=sk_SK, LC_CTYPE=sk_SK (charmap=ISO-8859-2)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages bind9 depends on:
> ii adduser 3.113+nmu3
> ii bind9utils 1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> ii debconf [debconf-2.0] 1.5.49
> ii libbind9-80 1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> ii libc6 2.13-38+deb7u12
> ii libcap2 1:2.22-1.2
> ii libdns88 1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u9
> ii libisc84 1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> ii libisccc80 1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> ii libisccfg82 1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> ii liblwres80 1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> ii libssl1.0.0 1.0.1t-1+deb7u3
> ii libxml2 2.8.0+dfsg1-7+wheezy12
> ii lsb-base 4.1+Debian8+deb7u1
> ii net-tools 1.60-24.2
> ii netbase 5.0
>
> bind9 recommends no packages.
>
> Versions of packages bind9 suggests:
> pn bind9-doc <none>
> ii dnsutils 1:9.8.4.dfsg.P1-6+nmu2+deb7u19
> pn resolvconf <none>
> pn ufw <none>
>
> -- Configuration Files:
> /etc/bind/named.conf.local changed:
> //
> // Do any local configuration here
> //
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> include "/etc/bind/zones.rfc1918";
>
> /etc/bind/named.conf.options changed:
> options {
> directory "/var/cache/bind";
> // If there is a firewall between you and nameservers you want
> // to talk to, you may need to fix the firewall to allow multiple
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> // Uncomment the following block, and insert the addresses replacing
> // the all-0's placeholder.
> // forwarders {
> // 0.0.0.0;
> // };
> auth-nxdomain no; # conform to RFC1035
> listen-on-v6 { none; };
> listen-on { 127.0.0.1; };
> dnssec-enable yes;
> dnssec-validation auto;
> dnssec-lookaside auto;
> };
>
>
> -- debconf information:
> bind9/different-configuration-file:
> bind9/run-resolvconf: true
> bind9/start-as-user: bind
>
> _______________________________________________
> pkg-dns-devel mailing list
> pkg-dns-devel at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-dns-devel
More information about the pkg-dns-devel
mailing list