Opened 4 years ago
Closed 4 years ago
#14683 closed enhancement (fixed)
Revert to bind-9.16.11 due to regressions
Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
---|---|---|---|
Priority: | normal | Milestone: | 10.1 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description
This morning, I received a message from oss-security titled '[oss-security] BIND Operational Notification: Enabling the new BIND option "stale-answer-client-timeout" can result in unexpected server termination'.
Since we have 9.16.12, we need to apply a patch. First, the contents of the email:
To the packagers and redistributors of BIND -- Regrettably, a problem has been discovered in two of the three public release versions of BIND we issued yesterday (17 February). A change to the serve-stale feature in BIND 9.16.12 and BIND 9.17.10 can cause the server to exit unexpectedly when that feature is in use. Below is a message we shared with subscribers to our bind-announce public list, and I reproduce it here in case any of you did not see it there. To most users we are recommending the use of one of the workarounds listed in the Workarounds section of the accompanying Operational Notification document. As packagers and redistributors of BIND, however, you are generally not in a position to choose your users' config options. We have a couple of recommendations: 1) BIND 9.17.10 is an experiment development release and probably not widely used for building packages. But if you are packaging and/or redistributing BIND 9.16.x and have not yet issued updated packages based on 9.16.12 you might wish to hold off.. HOWEVER, you will have also seen that yesterday we disclosed a vulnerability in that version (CVE-2020-8625.) You might prefer to issue a package based on 9.16.11, since the serve-stale bug is not yet present in that version, but with the patch diff found in https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch applied to correct the CVE-2020-8625 vulnerability. 2) If you already have packages based on 9.16.12, we expect to have a patch ready well before the next maintenance release. A candidate patch is under review now and can be delivered after review and quality assurance testing. If you wish to receive updates on the progress of this patch, please e-mail your request to security-officer@isc.org We're sorry for the mess this creates. Michael McNally (for ISC Security Officer)
The patch itself can be found here: https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4714/diffs?commit_id=26d950a3bd44e8a904186d323e41cddbb75918e2
Change History (5)
comment:1 by , 4 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 4 years ago
comment:3 by , 4 years ago
Summary: | Fix a regression in BIND caused by 9.16.12's security update → Revert to bind-9.16.11 due to regressions |
---|
After talking to Bruce, we're going to revert to 9.16.11.
comment:4 by , 4 years ago
This is the sed that I devised since it's a one-line patch:
sed -i '851 s/len/(len + 1)/' lib/dns/spnego.c
Working on this now, will get it in before I call it a night.
I would like to discuss reverting to BIND 9.16.11 with the proper security patches applied.