samba-ad bind-dlz AXFR allow bug
dcardon at tranquil.it
Thu Oct 10 09:41:19 UTC 2019
I have been looking yesterday into the AXFR bug in Samba Bind-DLZ
module (current Samba DLZ module accepts DNS zone transfer requests
There has been a fix proposed by Julien Ropé . The patch does work as
expected (I have not looked into at why the pipeline did not go through).
However while fixing this bug Julien stumbled on a isc-bind bug ,
which resulted in a new patch  which was considered as a potential
security issue by the Bind9 team (CVE-2019-6465).
This fix is part of Bind9 version 9.11.5 or later. However CentOS7 ships
version 9.11.4 with a patchset released this summer  which address a
series of bugs and security issues, but it is missing CVE-2019-6465n
even though the patch was already released at that time. According to
Redhat errata dated from February it was planned to be included in
future bind9 release .
Redhat does not ship Samba-AD, so there is no issues here with Samba
Bind-DLZ module as far as Redhat is concerned, however this issue also
affects other DLZ modules.
Do you all think this patch  may be going in upstream Redhat7/CentOS7
rpm in the near future? If I ask customers with active subscriptions to
report this issue, would it be quicker to be fixed?
Adding the patch to the bind9 srcrpm is not very complicated, however I
am not eager to ship patched rpm of bind9 along Samba packages for such
a small patch... Another option would be to just remove the AXFR
altogether in the samba bind-dlz module from our CentOS rpms for the
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr
More information about the samba-technical