** CONFIDENTIAL ** Hello: ISC would like to make you aware of an upcoming security disclosure covering two exploitable BIND vulnerabilities (CVE-2017-3140, CVE-2017-3141) and an operational notification concerning a potentially impacting defect. On Wednesday, 14 June 2017, we plan to publicly disclose these and issue new security releases. For the benefit of those selectively porting fixes, specific patch diffs for each CVE can be found in the "patches" subdirectory of the 9.9.10-P1, 9.10.5-P1, and 9.11.1-P1 release directories. Please do not divulge details about the vulnerabilities or the location or contents of the replacement releases until after ISC has gone public with our announcement. However, to give you a chance to get started on updated packages the links below will provide early access to the new software. [Redacted] We appreciate the work you do to make BIND available. ** An email with full content has been sent to the maintainer using OpenPGP encrypted email
Public via http://www.openwall.com/lists/oss-security/2017/06/14/4 Date: Wed, 14 Jun 2017 18:31:00 -0500 From: ISC Security Officer <security-officer@....org> To: oss-security@...ts.openwall.com Cc: ISC Security Officer <security-officer@....org> Subject: BIND9 CVE-2017-3140 & CVE-2017-3141 Today ISC announced CVE-2017-3140, CVE-2017-3141, and an operational notification regarding LMDB in BIND 9.11 CVE-2017-3140 is a denial-of-service vulnerability affecting 9.9.10, 9.10.5, 9.11.0->9.11.1, 9.9.10-S1, and 9.10.5-S1 when configured with Response Policy Zones (RPZ) utilizing NSIP or NSDNAME rules. We are aware that some subscribers to this list maintain BIND packages which have diverged from the official ISC code branches. While we cannot always offer specific guidance, in the case of CVE-2017-3140 maintainers who have selectively backported BIND changes are advised to check whether they have included change #4377, as that change has been determined to be a cause of CVE-2017-3140. CVE-2017-3141 is a Windows privilege escalation vector affecting 9.2.6-P2+, 9.3.2-P1+, 9.4.x, 9.5.x, 9.6.x, 9.7.x, 9.8.x, 9.9.0->9.9.10, 9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, and 9.10.5-S1. The BIND Windows installer failed to properly quote the service paths, possibly allowing a local user to achieve privilege escalation, if allowed by file system permissions. BIND 9.11.0 and 9.11.1 carries a number of integration problems with LMDB (liblmdb) that will be addressed in BIND 9.11.2, planned for release in July/August 2017. Our full CVE text can be found at: https://kb.isc.org/article/AA-01495/74/CVE-2017-3140 https://kb.isc.org/article/AA-01496/74/CVE-2017-3141 The full operational notification can be found at: https://kb.isc.org/article/AA-01497/169/LMDB-integration-problems.html New releases of BIND, including security fixes for these vulnerabilities, are available at: http://www.isc.org/downloads/ Release notes can be obtained using the following links: ftp://ftp.isc.org/isc/bind9/9.9.10-P1/ ftp://ftp.isc.org/isc/bind9/9.10.5-P1/ ftp://ftp.isc.org/isc/bind9/9.11.1-P1/ Brian Conry Security Officer
bind and bind-tools 9.11.1_p1 have just been added.
(In reply to Christian Ruppert (idl0r) from comment #2) > bind and bind-tools 9.11.1_p1 have just been added. Thank you for the bump, please call for stabilization when you feel it is ready
*** Bug 622310 has been marked as a duplicate of this bug. ***
(In reply to Kristian Fiskerstrand from comment #3) > (In reply to Christian Ruppert (idl0r) from comment #2) > > bind and bind-tools 9.11.1_p1 have just been added. > > Thank you for the bump, please call for stabilization when you feel it is > ready Is this ready for stabilization yet?
(In reply to Kristian Fiskerstrand from comment #5) > (In reply to Kristian Fiskerstrand from comment #3) > > (In reply to Christian Ruppert (idl0r) from comment #2) > > > bind and bind-tools 9.11.1_p1 have just been added. > > > > Thank you for the bump, please call for stabilization when you feel it is > > ready > > Is this ready for stabilization yet? Yeah, looks ok to me. If you want to stabilize it, please stabilize bind-tools-9.11.1_p1 as well.
amd64 stable
The stabilisation of bind-9.11.1_p1 effectively re-opens bug 600212.
Stable on alpha.
Added to an existing GLSA.
ia64 stable
x86 stable
arm stable
sparc stable
ppc stable
ppc64 stable
Arches or maintainers please stabilize for Hippo ASAP. Security will release GLSA for this in 7 days with or without hppa arch being stable.
(In reply to Yury German from comment #17) > Arches or maintainers please stabilize for Hippo <-- hppa Script went crazy.
This issue was resolved and addressed in GLSA 201708-01 at https://security.gentoo.org/glsa/201708-01 by GLSA coordinator Yury German (BlueKnight).
re-opening for cleanup. Maintainer(s), please drop the vulnerable version(s).
hppa stable Last arch is done here.
Tree is clean from vulnerable versions. Gentoo Security Padawan ChrisADR
