Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 647
    • Issues 647
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 196
    • Merge Requests 196
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #9462

Closed
Open
Opened Sep 25, 2018 by Alicha CH@alichaReporter
  • Report abuse
  • New issue
Report abuse New issue

[3.9] bind: Update policies krb5-subdomain and ms-subdomain (CVE-2018-5741)

In order to provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were.

Versions affected:

The behavior described is present in all versions of BIND 9 which contain the krb5-subdomain and ms-subdomain update
policies prior to our upcoming maintenance releases, BIND 9.11.5 and 9.12.3. However, the misleading documentation
is not present in all versions.

References:

https://kb.isc.org/docs/cve-2018-5741
https://www.openwall.com/lists/oss-security/2018/09/19/11

(from redmine: issue id 9462, created on 2018-09-25, closed on 2018-12-04)

  • Relations:
    • parent #9461 (closed)
  • Changesets:
    • Revision 51978afa by Taner Tas on 2018-11-29T14:47:56Z:
main/bind: Upgrade to 9.12.3

* Add "--disable-isc-spnego" to use gss-spnego instead.

fixes #9462
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
3.9.0
Milestone
3.9.0 (Past due)
Assign milestone
Time tracking
None
Due date
None
3
Labels
Normal tag:security type:bug
Assign labels
  • View project labels
Reference: alpine/aports#9462