* [Buildroot] [PATCH] bind: security bump to version 9.11.1-P2
@ 2017-07-02 15:01 Peter Korsgaard
2017-07-02 21:51 ` Thomas Petazzoni
2017-07-04 15:33 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2017-07-02 15:01 UTC (permalink / raw)
To: buildroot
Fixes the following security issues:
CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone
transfers
An attacker who is able to send and receive messages to an authoritative DNS
server and who has knowledge of a valid TSIG key name may be able to
circumvent TSIG authentication of AXFR requests via a carefully constructed
request packet. A server that relies solely on TSIG keys for protection with
no other ACL protection could be manipulated into:
* providing an AXFR of a zone to an unauthorized recipient
* accepting bogus NOTIFY packets
https://kb.isc.org/article/AA-01504/74/CVE-2017-3142
CVE-2017-3041: An error in TSIG authentication can permit unauthorized dynamic
updates
An attacker who is able to send and receive messages to an authoritative DNS
server and who has knowledge of a valid TSIG key name for the zone and service
being targeted may be able to manipulate BIND into accepting an unauthorized
dynamic update.
https://kb.isc.org/article/AA-01503/74/CVE-2017-3143
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/bind/bind.hash | 4 ++--
package/bind/bind.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/bind/bind.hash b/package/bind/bind.hash
index 3f0dda531a..5dd15cb86b 100644
--- a/package/bind/bind.hash
+++ b/package/bind/bind.hash
@@ -1,2 +1,2 @@
-# Verified from http://ftp.isc.org/isc/bind9/9.11.1-P1/bind-9.11.1-P1.tar.gz.sha256.asc
-sha256 6b1b3e88d51b8471bd6aee24a8cea70817e850a5901315dc506f9dde275ca638 bind-9.11.1-P1.tar.gz
+# Verified from http://ftp.isc.org/isc/bind9/9.11.1-P1/bind-9.11.1-P2.tar.gz.sha256.asc
+sha256 bf53c6431575ae1612ddef66d18ef9baf2a22d842fa5b0cadc971919fd81fea5 bind-9.11.1-P2.tar.gz
diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index b588eb5223..fd5369a3ea 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -4,7 +4,7 @@
#
################################################################################
-BIND_VERSION = 9.11.1-P1
+BIND_VERSION = 9.11.1-P2
BIND_SITE = ftp://ftp.isc.org/isc/bind9/$(BIND_VERSION)
# bind does not support parallel builds.
BIND_MAKE = $(MAKE1)
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] bind: security bump to version 9.11.1-P2
2017-07-02 15:01 [Buildroot] [PATCH] bind: security bump to version 9.11.1-P2 Peter Korsgaard
@ 2017-07-02 21:51 ` Thomas Petazzoni
2017-07-04 15:33 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2017-07-02 21:51 UTC (permalink / raw)
To: buildroot
Hello,
On Sun, 2 Jul 2017 17:01:48 +0200, Peter Korsgaard wrote:
> Fixes the following security issues:
>
> CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone
> transfers
>
> An attacker who is able to send and receive messages to an authoritative DNS
> server and who has knowledge of a valid TSIG key name may be able to
> circumvent TSIG authentication of AXFR requests via a carefully constructed
> request packet. A server that relies solely on TSIG keys for protection with
> no other ACL protection could be manipulated into:
>
> * providing an AXFR of a zone to an unauthorized recipient
> * accepting bogus NOTIFY packets
>
> https://kb.isc.org/article/AA-01504/74/CVE-2017-3142
>
> CVE-2017-3041: An error in TSIG authentication can permit unauthorized dynamic
> updates
>
> An attacker who is able to send and receive messages to an authoritative DNS
> server and who has knowledge of a valid TSIG key name for the zone and service
> being targeted may be able to manipulate BIND into accepting an unauthorized
> dynamic update.
>
> https://kb.isc.org/article/AA-01503/74/CVE-2017-3143
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/bind/bind.hash | 4 ++--
> package/bind/bind.mk | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] bind: security bump to version 9.11.1-P2
2017-07-02 15:01 [Buildroot] [PATCH] bind: security bump to version 9.11.1-P2 Peter Korsgaard
2017-07-02 21:51 ` Thomas Petazzoni
@ 2017-07-04 15:33 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2017-07-04 15:33 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone
> transfers
> An attacker who is able to send and receive messages to an authoritative DNS
> server and who has knowledge of a valid TSIG key name may be able to
> circumvent TSIG authentication of AXFR requests via a carefully constructed
> request packet. A server that relies solely on TSIG keys for protection with
> no other ACL protection could be manipulated into:
> * providing an AXFR of a zone to an unauthorized recipient
> * accepting bogus NOTIFY packets
> https://kb.isc.org/article/AA-01504/74/CVE-2017-3142
> CVE-2017-3041: An error in TSIG authentication can permit unauthorized dynamic
> updates
> An attacker who is able to send and receive messages to an authoritative DNS
> server and who has knowledge of a valid TSIG key name for the zone and service
> being targeted may be able to manipulate BIND into accepting an unauthorized
> dynamic update.
> https://kb.isc.org/article/AA-01503/74/CVE-2017-3143
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2017.02.x and 2017.05.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-07-04 15:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-02 15:01 [Buildroot] [PATCH] bind: security bump to version 9.11.1-P2 Peter Korsgaard
2017-07-02 21:51 ` Thomas Petazzoni
2017-07-04 15:33 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.