Your message dated Mon, 13 May 2019 21:17:13 +0000 with message-id <[email protected]> and subject line Bug#927932: fixed in bind9 1:9.10.3.dfsg.P4-12.3+deb9u5 has caused the Debian Bug report #927932, regarding bind9: CVE-2018-5743: Limiting simultaneous TCP clients is ineffective to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 927932: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927932 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: src:bind9 Severity: grave Tags: security, upstream CVE: CVE-2018-5743 Document version: 2.0 Posting date: 24 April 2019 Program impacted: BIND Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, 9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -> 9.13.7 of the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5743. Severity: High Exploitable: Remotely Description: By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers. Unfortunately, the code which was intended to limit the number of simultaneous connections contains an error which can be exploited to grow the number of simultaneous connections beyond this limit. Impact: By exploiting the failure to limit simultaneous TCP connections, an attacker can deliberately exhaust the pool of file descriptors available to named, potentially affecting network connections and the management of files such as log files or zone journal files. In cases where the named process is not limited by OS-enforced per-process limits, this could additionally potentially lead to exhaustion of all available free file descriptors on that system. CVSS Score: 7.5 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Workarounds: None. Active exploits: No known deliberate exploits, but the situation may occur accidentally on busy servers. It is possible for operators to mistakenly believe that their configured (or default) limit is sufficient for their typical operations, when in fact it is not. Following an upgrade to a version that effectively applies limits, named may deny connections which were previously improperly permitted. Operators can monitor their logs for rejected connections, keep an eye on "rndc status" reports of simultaneous connections, or use other tools to monitor whether the now-effective limits are causing problems for legitimate clients. Should this be the case, increasing the value of the tcp-clients setting in named.conf to an appropriate value would be recommended. Solution: Upgrade to a version of BIND containing a fix for the ineffective limits. - BIND 9.11.6-P1 - BIND 9.12.4-P1 - BIND 9.14.1 BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. - BIND 9.11.5-S6 - BIND 9.11.6-S1 Acknowledgements: ISC would like to thank AT&T for helping us to discover this issue. Document revision history: 1.0 Advance Notification, 16 January 2019 1.1 Recall due to error in original fix, 17 January 2019 1.3 Replacement fix delivered to Advance Notification customers, 15 April 2019 1.4 Corrected Versions affected and Solution, 16 April 2019 1.5 Added reference to BIND 9.11.6-S1 2.0 Public disclosure, 24 April 2019 Related documents: See our BIND 9 Security Vulnerability Matrix for a complete listing of security vulnerabilities and versions affected. Do you still have questions? Questions regarding this advisory should go to [email protected]. To report a new issue, please encrypt your message using [email protected]'s PGP key which can be found here: https://www.isc.org/downloads/software-support-policy/openpgp-key If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/community/report-bug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. (For current information on which versions are actively supported, please see https://www.isc.org/downloads/.) ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.
--- End Message ---
--- Begin Message ---Source: bind9 Source-Version: 1:9.10.3.dfsg.P4-12.3+deb9u5 We believe that the bug you reported is fixed in the latest version of bind9, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <[email protected]> (supplier of updated bind9 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 03 May 2019 22:34:35 +0200 Source: bind9 Binary: bind9 bind9utils bind9-doc host bind9-host libbind-dev libbind9-140 libdns162 libirs141 libisc160 liblwres141 libisccc140 libisccfg140 dnsutils lwresd libbind-export-dev libdns-export162 libdns-export162-udeb libisc-export160 libisc-export160-udeb libisccfg-export140 libisccc-export140 libisccc-export140-udeb libisccfg-export140-udeb libirs-export141 libirs-export141-udeb Architecture: source Version: 1:9.10.3.dfsg.P4-12.3+deb9u5 Distribution: stretch-security Urgency: high Maintainer: Debian DNS Packaging <[email protected]> Changed-By: Bernhard Schmidt <[email protected]> Description: bind9 - Internet Domain Name Server bind9-doc - Documentation for BIND bind9-host - Version of 'host' bundled with BIND 9.X bind9utils - Utilities for BIND dnsutils - Clients provided with BIND host - Transitional package libbind-dev - Static Libraries and Headers used by BIND libbind-export-dev - Development files for the exported BIND libraries libbind9-140 - BIND9 Shared Library used by BIND libdns-export162 - Exported DNS Shared Library libdns-export162-udeb - Exported DNS library for debian-installer (udeb) libdns162 - DNS Shared Library used by BIND libirs-export141 - Exported IRS Shared Library libirs-export141-udeb - Exported IRS library for debian-installer (udeb) libirs141 - DNS Shared Library used by BIND libisc-export160 - Exported ISC Shared Library libisc-export160-udeb - Exported ISC library for debian-installer (udeb) libisc160 - ISC Shared Library used by BIND libisccc-export140 - Command Channel Library used by BIND libisccc-export140-udeb - Command Channel Library used by BIND (udeb) libisccc140 - Command Channel Library used by BIND libisccfg-export140 - Exported ISC CFG Shared Library libisccfg-export140-udeb - Exported ISC CFG library for debian-installer (udeb) libisccfg140 - Config File Handling Library used by BIND liblwres141 - Lightweight Resolver Library used by BIND lwresd - Lightweight Resolver Daemon Closes: 922954 922955 927932 Changes: bind9 (1:9.10.3.dfsg.P4-12.3+deb9u5) stretch-security; urgency=high . [ Marc Deslauriers (Ubuntu) ] * CVE-2018-5743: limiting simultaneous TCP clients is ineffective. Thanks to Marc Deslauriers of Ubuntu (Closes: #927932) . [ Ondřej Surý ] * Sync Maintainer and Uploaders with unstable * [CVE-2019-6465]: Zone transfer for DLZs are executed though not permitted by ACLs. (Closes: #922955) * [CVE-2018-5745]: Avoid assertion and thus causing named to deliberately exit when a trust anchor's key is replaced with a key which uses an unsupported algorithm. (Closes: #922954) Checksums-Sha1: 6860272e873dc1832c650fd4297a10e07d8a79f7 3908 bind9_9.10.3.dfsg.P4-12.3+deb9u5.dsc 4e729f86198c8724c58a2e0dc695cc8be96f2a8a 98420 bind9_9.10.3.dfsg.P4-12.3+deb9u5.debian.tar.xz 505a434d946ea958238008ce240871e1eb1e9513 21618 bind9_9.10.3.dfsg.P4-12.3+deb9u5_amd64.buildinfo Checksums-Sha256: 86ab6f642822821b115319f489a9b64d0b7b2b924a176677b536d5a373a1ec92 3908 bind9_9.10.3.dfsg.P4-12.3+deb9u5.dsc 0cb2d69f869c45b0ad65253dfce0ec1d850dc70a49eb14169d91b3a06fbb9047 98420 bind9_9.10.3.dfsg.P4-12.3+deb9u5.debian.tar.xz bb104617c40823b776a4ac366eb78e295b11c5f83231602cbc6ad188ca411813 21618 bind9_9.10.3.dfsg.P4-12.3+deb9u5_amd64.buildinfo Files: 65559b9d5844fc65327fe313b0e408dd 3908 net optional bind9_9.10.3.dfsg.P4-12.3+deb9u5.dsc ffa19a3fdd7bda1215cf1dadb3adc4c3 98420 net optional bind9_9.10.3.dfsg.P4-12.3+deb9u5.debian.tar.xz 0d2a4d0a411005cc2291ac82c4ea5aef 21618 net optional bind9_9.10.3.dfsg.P4-12.3+deb9u5_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlzN8lsRHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJMJrRAAgWzqfvqdAPWpi/aOL9y79BZRECTKMzn7 OoXDuBju8AbMO92Fs1hWbnTZeWJLxFp1Ht63WG9bmk7lkYzdWvB9OZvlmFmlOY6I 5gNNeSkT+0meW07in6KDZ+StXFrz0LwWDhYFKLKE187AzSK2Rr3ZIo43hFwI1Mif KXPB4Oun/y1kC+LUJrPZiHfJSoYkBwFiwN+EKgk7JrFgl+1z1wANaeaJooAdUalF 5ICmd/P6X5zrfuMsmcqhCEJWg/zT9f15x+/cYCep+FBhWcFDqPUXlnl9r8USTb1J d40FSf7Mr6OrCLBaaNBSff1GeIdh7+dBGRlW/Wtw6B6vPqBgT0+QKfY4kmXrjC74 Ryp4J5TvT8TO7F8ejkKVMIsH/OGhJqbJc4/4gmVH438e1Z2cJEn6ywDJN7Z8nhpk lIRmrVlxj2j6pgxwnThCwxpnJAjuQc5ycbMiMbHSC6Y7vt3D0gqQElsWA8hHYcGc gyvGeo9i0r1PIJq8U/65YcXgppxUH4L7C+u2Bn0fdQLSNjd+ndupbaQ5u9odqIKu TxNKaBN+plryrbusLnniXERz0fNx0u4LqdjG8d9T8EkbF3oh2WKs+RAs7wQhcQaZ 7t+5ndumaLgx+/d6xfBERxmnvIc8dLdX49KNY56hbpdlHfYVR0CXUNyq1Vu3BvxO 8obm3n79Ix4= =LFoK -----END PGP SIGNATURE-----
--- End Message ---
