All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [git commit branch/2017.05.x] bind: security bump to version 9.11.1-P2
@ 2017-07-04 15:32 Peter Korsgaard
  0 siblings, 0 replies; only message in thread
From: Peter Korsgaard @ 2017-07-04 15:32 UTC (permalink / raw)
  To: buildroot

commit: https://git.buildroot.net/buildroot/commit/?id=e1bcba49136d06145b693e21a57dc498c235da81
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2017.05.x

Fixes the following security issues:

CVE-2017-3142: An error in TSIG authentication can permit unauthorized zone
transfers

An attacker who is able to send and receive messages to an authoritative DNS
server and who has knowledge of a valid TSIG key name may be able to
circumvent TSIG authentication of AXFR requests via a carefully constructed
request packet. A server that relies solely on TSIG keys for protection with
no other ACL protection could be manipulated into:

* providing an AXFR of a zone to an unauthorized recipient
* accepting bogus NOTIFY packets

https://kb.isc.org/article/AA-01504/74/CVE-2017-3142

CVE-2017-3041: An error in TSIG authentication can permit unauthorized dynamic
updates

An attacker who is able to send and receive messages to an authoritative DNS
server and who has knowledge of a valid TSIG key name for the zone and service
being targeted may be able to manipulate BIND into accepting an unauthorized
dynamic update.

https://kb.isc.org/article/AA-01503/74/CVE-2017-3143

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
(cherry picked from commit a0c53973f87928ae51ca58926951c386c74fc023)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/bind/bind.hash | 4 ++--
 package/bind/bind.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/bind/bind.hash b/package/bind/bind.hash
index 3f0dda5..5dd15cb 100644
--- a/package/bind/bind.hash
+++ b/package/bind/bind.hash
@@ -1,2 +1,2 @@
-# Verified from http://ftp.isc.org/isc/bind9/9.11.1-P1/bind-9.11.1-P1.tar.gz.sha256.asc
-sha256 6b1b3e88d51b8471bd6aee24a8cea70817e850a5901315dc506f9dde275ca638 bind-9.11.1-P1.tar.gz
+# Verified from http://ftp.isc.org/isc/bind9/9.11.1-P1/bind-9.11.1-P2.tar.gz.sha256.asc
+sha256 bf53c6431575ae1612ddef66d18ef9baf2a22d842fa5b0cadc971919fd81fea5 bind-9.11.1-P2.tar.gz
diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index b588eb5..fd5369a 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-BIND_VERSION = 9.11.1-P1
+BIND_VERSION = 9.11.1-P2
 BIND_SITE = ftp://ftp.isc.org/isc/bind9/$(BIND_VERSION)
 # bind does not support parallel builds.
 BIND_MAKE = $(MAKE1)

^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2017-07-04 15:32 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-04 15:32 [Buildroot] [git commit branch/2017.05.x] bind: security bump to version 9.11.1-P2 Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.