[3.9] bind: Update policies krb5-subdomain and ms-subdomain (CVE-2018-5741) (#9462) · Issues · alpine / aports

[3.9] bind: Update policies krb5-subdomain and ms-subdomain (CVE-2018-5741)

In order to provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were.

Versions affected:

The behavior described is present in all versions of BIND 9 which contain the krb5-subdomain and ms-subdomain update
policies prior to our upcoming maintenance releases, BIND 9.11.5 and 9.12.3. However, the misleading documentation
is not present in all versions.

References:

https://kb.isc.org/docs/cve-2018-5741
https://www.openwall.com/lists/oss-security/2018/09/19/11

(from redmine: issue id 9462, created on 2018-09-25, closed on 2018-12-04)

Relations:
- parent #9461 (closed)
Changesets:
- Revision 51978afa by Taner Tas on 2018-11-29T14:47:56Z:

main/bind: Upgrade to 9.12.3

* Add "--disable-isc-spnego" to use gss-spnego instead.

fixes #9462

In order to provide fine-grained controls over the ability to use
Dynamic DNS (DDNS) to update records in a zone, BIND provides a feature
called update-policy. Various rules can be configured to limit the types
of updates that can be performed by a client, depending on the key used
when sending the update request. Unfortunately some rule types were not
initially documented, and when documentation for them was added to the
Administrator Reference Manual (ARM) in change, the language that was
added to the ARM at that time incorrectly described the behavior of two
rule types, krb5-subdomain and ms-subdomain. This incorrect
documentation could mislead operators into believing that policies they
had configured were more restrictive than they actually were.

### Versions affected:

The behavior described is present in all versions of BIND 9 which
contain the krb5-subdomain and ms-subdomain update  
policies prior to our upcoming maintenance releases, BIND 9.11.5 and
9.12.3. However, the misleading documentation  
is not present in all versions.

### References:

https://kb.isc.org/docs/cve-2018-5741  
https://www.openwall.com/lists/oss-security/2018/09/19/11

*(from redmine: issue id 9462, created on 2018-09-25, closed on 2018-12-04)*

* Relations:
  * parent #9461
* Changesets:
  * Revision 51978afa8a1151a013383d4dfe8297e90c29ff31 by Taner Tas on 2018-11-29T14:47:56Z:

```
main/bind: Upgrade to 9.12.3

* Add "--disable-isc-spnego" to use gss-spnego instead.

fixes #9462
```

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information