Date: Mon, 17 Apr 2017 11:41:58 -0800 From: ISC Security Officer <security-officer@....org> To: oss-security@...ts.openwall.com Subject: Additional information for packagers concerning recent BIND security vulnerabilities [Apologies to those who receive multiple copies of this message but we were asked to notify oss-security after sending details to the distros security list.] To all BIND packagers and redistributors: Recently we sent you information about several BIND vulnerabilities, including CVE-2017-3137. After providing that information we received feedback from multiple parties concerning a potential pitfall for those who are trying to selectively backport the fix for CVE-2017-3137 to earlier versions of BIND. Since we do not know which of you may be trying to do this we are notifying all parties to whom we sent the CVE details. If you are using the security releases provided by ISC without changes or if you are not trying to selectively backport fixes to earlier BIND versions you can ignore the rest of this message. For those who ARE backporting the security fixes to earlier versions of BIND: several parties have reported to us that backporting to a version of BIND that does not have change #4190 can cause an assertion failure to appear in name.c in the vicinity of line 2150 (the exact line number varies by version) with the error message: REQUIRE(prefix == ((void *)0) || ((((prefix) != ((void *)0)) && (((const isc__magic_t *)(prefix))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n'))))) && prefix->buffer != ((void *)0) && ((prefix->attributes & (0x00000002|0x00000004)) == 0))) failed To test whether the version of BIND you have produced is subject to this assertion failure, we recommend you run the dname test in the provided BIND system tests. (Actually, we recommend you run that in any case.) build named: ./configure && make then: cd bin/tests/system as root: sh ./ifconfig.sh up sh ./run.sh dname If your named crashes you should correct the problem; see change #4190. ISC doesn't officially support selective backporting of changes and we cannot guarantee that there may not be other issues, depending on which combination of changes you have selected. However this issue has been reported by several parties and we are providing what info we have on it in the hopes that it will help those who repackage and redistribute our code. Michael McNally ISC Security Officer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ