Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 186556 - net-dns/bind < 9.4.1_p1 multiple vulnerabilities (CVE-2007-2925, CVE-2007-2926)
Summary: net-dns/bind < 9.4.1_p1 multiple vulnerabilities (CVE-2007-2925, CVE-2007-2926)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.isc.org/sw/bind/bind-secur...
Whiteboard: B4 [glsa] p-y
Keywords:
Depends on:
Blocks:
 
Reported: 2007-07-25 08:36 UTC by Wolfram Schlich (RETIRED)
Modified: 2007-08-25 22:12 UTC (History)
11 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfram Schlich (RETIRED) gentoo-dev 2007-07-25 08:36:14 UTC
CVE-2007-2925: allow-query-cache/allow-recursion default acls not set.
CVE-2007-2926: cryptographically weak query ids
Comment 1 Matus UHLAR - fantomas 2007-07-27 08:33:26 UTC
pardon me, but will anyone take care of this?
This bug has been here for 2 days, 
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-27 09:03:48 UTC
(In reply to comment #1)
> pardon me, but will anyone take care of this?
> This bug has been here for 2 days,  

Yeah, but we are quite understaffed atm, plus it's holidays so we're doing what we can here. 

@bind: please bump as necessary.
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-27 12:21:13 UTC
As per http://article.gmane.org/gmane.linux.gentoo.devel/49788 I offered to help with bind - so here it goes. bind and bind-tools bumped to 9.4.1_p1, works for me and passes all tests. 
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-07-27 14:02:49 UTC
Thanks a lot Tobias.

Hi arches, please test and mark stable bind-9.4.1_p1

Additionally, but it is not needed for a possible GLSA, arm and s390 will have to keyword bind-9.4.* if they want to be safe, unless someone backports the fix.

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2007-07-27 16:36:36 UTC
Stable for HPPA.
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-27 17:08:58 UTC
sparc stable.
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-27 22:57:26 UTC
(In reply to comment #4)
> Hi arches, please test and mark stable bind-9.4.1_p1

Plus the corresponding bind-tools-9.4.1_p1 ;)
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2007-07-28 12:57:27 UTC
alpha/ia64/x86 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-28 13:20:37 UTC
ppc stable
Comment 10 Jonas Pedersen 2007-07-28 14:50:36 UTC
net-dns/bind-9.4.1_p1  USE="berkdb mysql ssl threads -dlz -doc -idn -ipv6 -ldap -odbc -postgres -resolvconf (-selinux) -urandom"
net-dns/bind-tools-9.4.1_p1  USE="-idn -ipv6"

1. Emerges on AMD64. 
2. No collisions etc. 
3. Works. 

It have not been in the tree for long, but this corrects security issues. I have upgraded it on my server and it have been running for around 3 hours without problems. Please mark stable on AMD64. 

Portage 2.1.2.9 (default-linux/amd64/2006.1, gcc-4.1.2, glibc-2.5-r4, 2.6.19-gentoo-r5 x86_64)
=================================================================
System uname: 2.6.19-gentoo-r5 x86_64 AMD Athlon(tm) 64 Processor 3500+
Gentoo Base System release 1.12.9
Timestamp of tree: Fri, 27 Jul 2007 21:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O2 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=athlon64 -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict sandbox sfperms strict test"
GENTOO_MIRRORS="http://gentoo.intergenia.de http://ftp.du.se/pub/os/gentoo http://mirror.uni-c.dk/pub/gentoo/ http://ftp.lug.ro/gentoo/ http://trumpetti.atm.tut.fi/gentoo/"
LC_ALL="en_DK.utf-8"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa amd64 apache2 berkdb bitmap-fonts cdr cli cracklib crypt cups dga directfb dri dts dvd dvdr dvdread encode fbcn ffmpeg fortran gd gdbm gif gpm iconv isdnlog ivtv jpeg libg++ lirc lm_sensors midi mjpeg mp3 mpeg mplayer mudflap mysql ncurses nls nptl nptlonly nvidia ogg oggvorbis opengl openmp pam pcre perl png ppds pppd python readline reflection samba session spl ssl tcpd test threads tiff transcode truetype truetype-fonts type1-fonts unicode vorbis x264 xorg xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIRC_DEVICES="hauppauge" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Comment 11 Steve Dibb (RETIRED) gentoo-dev 2007-07-28 18:26:58 UTC
amd64 stable
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2007-07-30 07:16:24 UTC
ppc64 stable
Comment 13 Carsten Lohrke (RETIRED) gentoo-dev 2007-07-30 15:07:00 UTC
How can this be seen as a minor issue? Just because ISC plays it down!? Quite the opposite, imho.

Please read http://www.trusteer.com/docs/bind9dns_s.html, summary below.

DNS cache poisoning is a very potent attack, made possible (in the case of BIND 9) by a flawed implementation of the DNS server, enabling an attacker to predict DNS transaction IDs. With DNS cache poisoning, an attacker can redirect traffic originally destined to a host name, to an IP address under his/her control, thus effectively conducting a large-scale pharming attack affecting all clients of the DNS server (ISP-wide or enterprise-wide).
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-30 15:26:24 UTC
agreed, but currently this kind of attack isn't explicitely mentioned in our policy, maybe we should think about updating it to take that into account.

cc'ing amd64 again, you forgot to stable bind-tools too.

Btw, time vor glsa vote, and obviously voting yes :)

Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-30 15:33:13 UTC
I vote YES.
Comment 16 Tiago Cunha (RETIRED) gentoo-dev 2007-07-30 16:01:29 UTC
net-dns/bind-tools-9.4.1_p1  USE="ipv6 -idn"

1. Emerges on AMD64.
2. No collisions.
3. Test phase ok.
4. Works (can't test nsupdate) - and tested with net-analyzer/gnome-nettool rdep.

Portage 2.1.2.9 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.20-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.20-gentoo-r8 x86_64 Intel(R) Pentium(R) D CPU 3.00GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Mon, 30 Jul 2007 07:50:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=nocona -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/init.d /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=nocona -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="-k"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="ftp://mirrors1.netvisao.pt/gentoo http://darkstar.ist.utl.pt/pub/gentoo http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X acl acpi alsa amd64 apache2 arts bash-completion bitmap-fonts cairo cdr cli cracklib crypt dbus dri dts dvd dvdr dvdread emboss encode evo fam firefox flac fortran gif gnome gpm gtk hal iconv ipv6 isdnlog jpeg kde kdeenablefinal kdehiddenvisibility libg++ mad midi mikmod mmx mp3 mpeg mudflap musepack musicbrainz mysql ncurses nptl nptlonly offensive ogg opengl openmp pam pcre pdf perl png postgres pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl sse sse2 ssl svg tcpd test tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="i810"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 17 Christoph Mende (RETIRED) gentoo-dev 2007-07-31 19:41:20 UTC
amd64 stable
Comment 18 Joshua Kinard gentoo-dev 2007-08-01 06:06:24 UTC
mips stable.
Comment 19 Matt Drew (RETIRED) gentoo-dev 2007-08-05 10:40:18 UTC
Definitely, I vote yes.  Request filed.
Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-18 20:21:13 UTC
it's GLSA 200708-13, thanks everybody