samba-ad bind-dlz AXFR allow bug
Denis Cardon
dcardon at tranquil.it
Thu Oct 10 09:41:19 UTC 2019
Hi everyone,
I have been looking yesterday into the AXFR bug in Samba Bind-DLZ
module[1] (current Samba DLZ module accepts DNS zone transfer requests
from anybody).
There has been a fix proposed by Julien Ropé [2]. The patch does work as
expected (I have not looked into at why the pipeline did not go through).
However while fixing this bug Julien stumbled on a isc-bind bug [3],
which resulted in a new patch [4] which was considered as a potential
security issue by the Bind9 team (CVE-2019-6465).
This fix is part of Bind9 version 9.11.5 or later. However CentOS7 ships
version 9.11.4 with a patchset released this summer [5] which address a
series of bugs and security issues, but it is missing CVE-2019-6465n
even though the patch was already released at that time. According to
Redhat errata dated from February it was planned to be included in
future bind9 release [6].
Redhat does not ship Samba-AD, so there is no issues here with Samba
Bind-DLZ module as far as Redhat is concerned, however this issue also
affects other DLZ modules.
Do you all think this patch [4] may be going in upstream Redhat7/CentOS7
rpm in the near future? If I ask customers with active subscriptions to
report this issue, would it be quicker to be fixed?
Adding the patch to the bind9 srcrpm is not very complicated, however I
am not eager to ship patched rpm of bind9 along Samba packages for such
a small patch... Another option would be to just remove the AXFR
altogether in the samba bind-dlz module from our CentOS rpms for the
time being...
Cheers,
Denis
[1] https://bugzilla.samba.org/show_bug.cgi?id=9634
[2] https://gitlab.com/samba-team/samba/merge_requests/169#note_194230102
[3] https://gitlab.isc.org/isc-projects/bind9/issues/790
[4]
https://gitlab.isc.org/isc-projects/bind9/commit/a9307de85e147f4756c75d15aa221d2262df7d67
[5] https://access.redhat.com/errata/RHSA-2019:2057
[6] https://access.redhat.com/security/cve/cve-2019-6465
--
Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
http://www.tranquil.it
Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr
More information about the samba-technical
mailing list