Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <cf512b42-ebd9-ec59-e2b1-326368f53f3b@isc.org>
Date: Mon, 17 Apr 2017 11:41:58 -0800
From: ISC Security Officer <security-officer@....org>
To: oss-security@...ts.openwall.com
Subject: Additional information for packagers concerning recent BIND security
 vulnerabilities

[Apologies to those who receive multiple copies of this message but
we were asked to notify oss-security after sending details to the
distros security list.]

To all BIND packagers and redistributors:

Recently we sent you information about several BIND vulnerabilities,
including CVE-2017-3137.  After providing that information we
received feedback from multiple parties concerning a potential pitfall
for those who are trying to selectively backport the fix for CVE-2017-3137
to earlier versions of BIND.  Since we do not know which of you may be
trying to do this we are notifying all parties to whom we sent the
CVE details.  If you are using the security releases provided by ISC
without changes or if you are not trying to selectively backport fixes
to earlier BIND versions you can ignore the rest of this message.

For those who ARE backporting the security fixes to earlier versions of
BIND:  several parties have reported to us that backporting to a
version of BIND that does not have change #4190 can cause an assertion
failure to appear in name.c in the vicinity of line 2150 (the exact line
number varies by version) with the error message:

  REQUIRE(prefix == ((void *)0) || ((((prefix) != ((void *)0)) &&
(((const isc__magic_t *)(prefix))->magic == ((('D') << 24 | ('N') << 16
| ('S') << 8 | ('n'))))) && prefix->buffer != ((void *)0) &&
((prefix->attributes & (0x00000002|0x00000004)) == 0))) failed

To test whether the version of BIND you have produced is subject to
this assertion failure, we recommend you run the dname test in the
provided BIND system tests.  (Actually, we recommend you run that
in any case.)

  build named:
    ./configure && make

  then:
    cd bin/tests/system
    as root:  sh ./ifconfig.sh up
    sh ./run.sh dname

If your named crashes you should correct the problem; see change #4190.

ISC doesn't officially support selective backporting of changes and we
cannot
guarantee that there may not be other issues, depending on which combination
of changes you have selected.  However this issue has been reported by
several
parties and we are providing what info we have on it in the hopes that
it will
help those who repackage and redistribute our code.

Michael McNally
ISC Security Officer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.