samba-ad bind-dlz AXFR allow bug

Denis Cardon dcardon at tranquil.it
Thu Oct 10 09:41:19 UTC 2019 

Hi everyone,

I have been looking yesterday into the AXFR bug in Samba Bind-DLZ 
module[1] (current Samba DLZ module accepts DNS zone transfer requests 
from anybody).

There has been a fix proposed by Julien Ropé [2]. The patch does work as 
expected (I have not looked into at why the pipeline did not go through).

However while fixing this bug Julien stumbled on a isc-bind bug [3], 
which resulted in a new patch [4] which was considered as a potential 
security issue by the Bind9 team (CVE-2019-6465).

This fix is part of Bind9 version 9.11.5 or later. However CentOS7 ships 
version 9.11.4 with a patchset released this summer [5] which address a 
series of bugs and security issues, but it is missing CVE-2019-6465n 
even though the patch was already released at that time. According to 
Redhat errata dated from February it was planned to be included in 
future bind9 release [6].

Redhat does not ship Samba-AD, so there is no issues here with Samba 
Bind-DLZ module as far as Redhat is concerned, however this issue also 
affects other DLZ modules.

Do you all think this patch [4] may be going in upstream Redhat7/CentOS7 
rpm in the near future? If I ask customers with active subscriptions to 
report this issue, would it be quicker to be fixed?

Adding the patch to the bind9 srcrpm is not very complicated, however I 
am not eager to ship patched rpm of bind9 along Samba packages for such 
a small patch... Another option would be to just remove the AXFR 
altogether in the samba bind-dlz module from our CentOS rpms for the 
time being...

Cheers,

Denis

[1] https://bugzilla.samba.org/show_bug.cgi?id=9634
[2] https://gitlab.com/samba-team/samba/merge_requests/169#note_194230102
[3] https://gitlab.isc.org/isc-projects/bind9/issues/790
[4] 
https://gitlab.isc.org/isc-projects/bind9/commit/a9307de85e147f4756c75d15aa221d2262df7d67
[5] https://access.redhat.com/errata/RHSA-2019:2057
[6] https://access.redhat.com/security/cve/cve-2019-6465

-- 
Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
http://www.tranquil.it

Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

More information about the samba-technical mailing list