ESB-2017.1640 - [Ubuntu] bind9: Access confidential data - Remote/unauthenticated 2017-06-30

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1640
                           bind9 vulnerabilities
                               30 June 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           bind9
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-3143 CVE-2017-3142 

Reference:         ESB-2017.1638

Original Bulletin: 
   http://www.ubuntu.com/usn/usn-3346-1

- --------------------------BEGIN INCLUDED TEXT--------------------

- --WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


Ubuntu Security Notice USN-3346-1
June 29, 2017

bind9 vulnerabilities


A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 17.04
- - Ubuntu 16.10
- - Ubuntu 16.04 LTS
- - Ubuntu 14.04 LTS

Summary:

Bind could be made to serve incorrect information or expose sensitive
information over the network.

Software Description:
- - bind9: Internet Domain Name Server

Details:

Clment Berthaux discovered that Bind did not correctly check TSIG
authentication for zone update requests. An attacker could use this
to improperly perform zone updates. (CVE-2017-3143)

Clment Berthaux discovered that Bind did not correctly check TSIG
authentication for zone transfer requests. An attacker could use this
to improperly transfer entire zones. (CVE-2017-3142)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
  bind9                           1:9.10.3.dfsg.P4-10.1ubuntu5.1

Ubuntu 16.10:
  bind9                           1:9.10.3.dfsg.P4-10.1ubuntu1.7

Ubuntu 16.04 LTS:
  bind9                           1:9.10.3.dfsg.P4-8ubuntu1.7

Ubuntu 14.04 LTS:
  bind9                           1:9.9.5.dfsg-3ubuntu0.15

After a standard system update you need to restart Bind to make
all the necessary changes.

References:
  https://www.ubuntu.com/usn/usn-3346-1
  CVE-2017-3142, CVE-2017-3143

Package Information:
  https://launchpad.net/ubuntu/+source/bind9/1:9.10.3.dfsg.P4-10.1ubuntu5.1
  https://launchpad.net/ubuntu/+source/bind9/1:9.10.3.dfsg.P4-10.1ubuntu1.7
  https://launchpad.net/ubuntu/+source/bind9/1:9.10.3.dfsg.P4-8ubuntu1.7
  https://launchpad.net/ubuntu/+source/bind9/1:9.9.5.dfsg-3ubuntu0.15


- --WIyZ46R2i8wDzkSu
Content-Type: application/pgp-signature; name="signature.asc"

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJZVX+uAAoJEPMhclmdjS6XoPoH/1E8Xavjr8Bl3YTqB1HOlgvo
8ZVVleFNJf8yCLEkEm7NosuVfxvMRAHxxoViOabrdVH8DQak32jTR+DjxeDI+NK3
E1SarziV35oIttDYxQKBGZwvOw83p0HnzZmThYI6Dob1qO0yso0qH3in1tEFhEct
SSo+9BD4WXgzO1mnWkQYoBDVMSm93qWXEqLdy+WGC3dPquPMY810Ghu0h1ooPESq
xq7vhlNvB477UmrBfAFL7UQypjqgiSX/vyjLxNx5HOwJPleEALvc6GuS/2mWXC74
B1OG7DrnqjYcj4cIgZxlit0EbL4sU/jXlR54SnRnEBlf9I1pEu60OKgCjpQVF5s=
=llU1
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWVWnA4x+lLeg9Ub1AQg4mg//d03Md3mdU/J4++HuyJcp4VEU9J7iFziy
brR4e6HZSAHqG5zatZcUaWRt3j5wE0shJhRRvXH3GQrMjk4Fx4r4Rm1C+boEkxf9
Ni7+sSZUAUF9PQiwSfnDaDGmpmioYjc6Nh/5Cx0qLGdqZYj5qjPELGoaePcew7gA
yweUOUC+6jqWhf2aYpIi8JPRjdR6kGkgO5iuIAA9Hx/uCI+ehE1ubdZvo8accLYX
mZmrB6aoK3DULK6TEhk+lXP55froxIi7IIp4pjj0gN04kjlGzQWBz6X+kjKQyOL7
fMSpJLFmCpLipVolJSehm8lvcQhu4LdAluVmrITkQukKDUUTcU3x6HytkvCfsfn5
ZrRA05nItN5yCG44WjYyIJVnK1wpCKtJAO/dSE0LCDHos+F4iOr/UtoqkKJy/k+Z
OMGisI8RKA+FPNXyH/JPLl/shV3fv3PV425bVpbFk1YiVJwzP30ZC8RJpgvZoHO/
g0FRa2XWDnX6FHMwam28ikQBYxr997/d8MaDaLa7pIii+te7DQY7l73EC/NOxOXk
iaPpxopdajdqNgijqBKcak/qYNvBioP3CsJ+XWlG7SblBu45Pa+FTzrocl+d3ZYV
iPZZILzDjX9XPsY582LpgEcj82Fcfef7OZd7WeURtivpimGnou7gOiX0AOD/9YlQ
mvsooc0THCc=
=EugC
-----END PGP SIGNATURE-----

« Back to bulletins