samba-ad bind-dlz AXFR allow bug

Denis Cardon dcardon at
Thu Oct 10 09:41:19 UTC 2019

Hi everyone,

I have been looking yesterday into the AXFR bug in Samba Bind-DLZ 
module[1] (current Samba DLZ module accepts DNS zone transfer requests 
from anybody).

There has been a fix proposed by Julien Ropé [2]. The patch does work as 
expected (I have not looked into at why the pipeline did not go through).

However while fixing this bug Julien stumbled on a isc-bind bug [3], 
which resulted in a new patch [4] which was considered as a potential 
security issue by the Bind9 team (CVE-2019-6465).

This fix is part of Bind9 version 9.11.5 or later. However CentOS7 ships 
version 9.11.4 with a patchset released this summer [5] which address a 
series of bugs and security issues, but it is missing CVE-2019-6465n 
even though the patch was already released at that time. According to 
Redhat errata dated from February it was planned to be included in 
future bind9 release [6].

Redhat does not ship Samba-AD, so there is no issues here with Samba 
Bind-DLZ module as far as Redhat is concerned, however this issue also 
affects other DLZ modules.

Do you all think this patch [4] may be going in upstream Redhat7/CentOS7 
rpm in the near future? If I ask customers with active subscriptions to 
report this issue, would it be quicker to be fixed?

Adding the patch to the bind9 srcrpm is not very complicated, however I 
am not eager to ship patched rpm of bind9 along Samba packages for such 
a small patch... Another option would be to just remove the AXFR 
altogether in the samba bind-dlz module from our CentOS rpms for the 
time being...




Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755

Tranquil IT recrute!
Samba install wiki for Frenchies :
WAPT, software deployment made easy :

More information about the samba-technical mailing list