-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : bind9 Version : 1:9.8.4.dfsg.P1-6+nmu2+deb7u17 CVE ID : CVE-2017-3142 CVE-2017-3143
CVE-2017-3142 An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name may be able to circumvent TSIG authentication of AXFR requests via a carefully constructed request packet. A server that relies solely on TSIG keys for protection with no other ACL protection could be manipulated into: - providing an AXFR of a zone to an unauthorized recipient - accepting bogus NOTIFY packets CVE-2017-3143 An attacker who is able to send and receive messages to an authoritative DNS server and who has knowledge of a valid TSIG key name for the zone and service being targeted may be able to manipulate BIND into accepting an unauthorized dynamic update. For Debian 7 "Wheezy", these problems have been fixed in version 1:9.8.4.dfsg.P1-6+nmu2+deb7u17. We recommend that you upgrade your bind9 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQJ7BAEBCgBmBQJZZ9arXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHzqkP+MFU8QL8MwMUK3zTpZhfWoRg faP+dRJkB9rL3SSaDF8FsM2rqHUXg+OrfpWZ+e8fz92ouYIyvEQzOGHPXah6/Ncn zA11q8xTaxBblKhYqs8BWDVmf9p17qAifr8bAFdjBUz3MjYvdoYepQ9Bo2etO7Tl x5MNKssEBRzj3w0QVnXnWv2NHw4Ve0uVz33FeSZnXskRIKigsIbofLrpObh+OmCe +HyuXGLq8t6heUKdfbBQ5YAj7aIJ72VAcxXpyN1ZCZQiu2BJYxOkqKBuhzd+pQ4z Uo9EYuuSCQrV7/KJxBXIoWGeWtBHQFEgMLlG0+z8XXNY85CB1r05FBImr45VVsjb ErGO0YxbBwHlhBpf69/k5or6Xl4OryS4uvS3P9IfYO77q2MqkqsZXw1HetkfuwhL Hq/vM/kk3Pv2bmX5J9xncFRSiib8Z6EQ6a4hWVcJ7Zmwu/85AMibNKY7YIK9p13A sJIRpZrnGct20v1P8bmORi0WD7H+6Hc2V15TlGGeS4xufiEEujpe1jCwwcnI+whl EBYZvjPLX56jSVaazv31PgCNUGVQbkaabyVtintA/2zioMD9lRpO5ILk+ZdI6sYR azBXI198cd1clSGzcGkKsXPUWODfC6rl5datG7ixGTBgx3FB2Is5ckmpoYvRf843 LBNJbmD/on+Sz/Bllbw= =5QMW -----END PGP SIGNATURE-----