samba-ad bind-dlz AXFR allow bug
Alexander Bokovoy
ab at samba.org
Thu Oct 10 09:58:15 UTC 2019
On to, 10 loka 2019, Denis Cardon via samba-technical wrote:
> Hi everyone,
>
> I have been looking yesterday into the AXFR bug in Samba Bind-DLZ module[1]
> (current Samba DLZ module accepts DNS zone transfer requests from anybody).
>
> There has been a fix proposed by Julien Ropé [2]. The patch does work as
> expected (I have not looked into at why the pipeline did not go through).
>
> However while fixing this bug Julien stumbled on a isc-bind bug [3], which
> resulted in a new patch [4] which was considered as a potential security
> issue by the Bind9 team (CVE-2019-6465).
>
> This fix is part of Bind9 version 9.11.5 or later. However CentOS7 ships
> version 9.11.4 with a patchset released this summer [5] which address a
> series of bugs and security issues, but it is missing CVE-2019-6465n even
> though the patch was already released at that time. According to Redhat
> errata dated from February it was planned to be included in future bind9
> release [6].
>
> Redhat does not ship Samba-AD, so there is no issues here with Samba
> Bind-DLZ module as far as Redhat is concerned, however this issue also
> affects other DLZ modules.
>
> Do you all think this patch [4] may be going in upstream Redhat7/CentOS7 rpm
> in the near future? If I ask customers with active subscriptions to report
> this issue, would it be quicker to be fixed?
The patch is already included into next minor RHEL 7 release plan.
Packages are done and ready for inclusion but it doesn't mean there is
an easy way to get them shipped in an earlier release.
Any RHEL customer with active subscription may ask for a hotfix and for a
asynchronous z-stream update to get them earlier. Perhaps, you can
propose that?
>
> Adding the patch to the bind9 srcrpm is not very complicated, however I am
> not eager to ship patched rpm of bind9 along Samba packages for such a small
> patch... Another option would be to just remove the AXFR altogether in the
> samba bind-dlz module from our CentOS rpms for the time being...
>
> Cheers,
>
> Denis
>
> [1] https://bugzilla.samba.org/show_bug.cgi?id=9634
> [2] https://gitlab.com/samba-team/samba/merge_requests/169#note_194230102
> [3] https://gitlab.isc.org/isc-projects/bind9/issues/790
> [4] https://gitlab.isc.org/isc-projects/bind9/commit/a9307de85e147f4756c75d15aa221d2262df7d67
> [5] https://access.redhat.com/errata/RHSA-2019:2057
> [6] https://access.redhat.com/security/cve/cve-2019-6465
>
> --
> Denis Cardon
> Tranquil IT
> 12 avenue Jules Verne (Bat. A)
> 44230 Saint Sébastien sur Loire (FRANCE)
> tel : +33 (0) 240 975 755
> http://www.tranquil.it
>
> Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
> Samba install wiki for Frenchies : https://dev.tranquil.it
> WAPT, software deployment made easy : https://wapt.fr
>
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list