Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 356223 (CVE-2011-0414) - <net-dns/bind-9.7.3: Denial of Service Vulnerability (CVE-2011-0414)
Summary: <net-dns/bind-9.7.3: Denial of Service Vulnerability (CVE-2011-0414)
Status: RESOLVED FIXED
Alias: CVE-2011-0414
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://www.isc.org/software/bind/adv...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-23 14:59 UTC by Tim Sammut (RETIRED)
Modified: 2012-06-02 13:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-02-23 14:59:25 UTC
From $URL:

Description: 

When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition.

CVSS Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)

Solution: 

If you run BIND 9.7.1 or 9.7.2, upgrade to BIND 9.7.3. Earlier versions are not vulnerable. If you run BIND 9.6.x, 9.6-ESV-Rx, or 9.4-ESV-R4, you do not need to upgrade.
BIND 9.5 is End of Life and is not supported by ISC. BIND 9.8 is not vulnerable.


@bind, =net-dns/bind-9.7.3 is already in the tree (thanks!). Can we move forward with stabilization?
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2011-02-23 16:19:24 UTC
(In reply to comment #0)
> @bind, =net-dns/bind-9.7.3 is already in the tree (thanks!). Can we move
> forward with stabilization?
> 

Sure :)
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-02-23 18:29:39 UTC
(In reply to comment #1)
> 
> Sure :)
> 

Great, thanks.

Arches, please test and mark stable:
=net-dns/bind-9.7.3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 3 Christian Ruppert (idl0r) gentoo-dev 2011-02-23 18:46:54 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > 
> > Sure :)
> > 
> 
> Great, thanks.
> 
> Arches, please test and mark stable:
> =net-dns/bind-9.7.3
> Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
> 

Sorry I totally forgot...
Please stabilize =net-dns/bind-tools-9.7.3 too then, as it belongs together.
Comment 4 Agostino Sarubbo gentoo-dev 2011-02-23 19:42:35 UTC
for me, there is a problem. In another system, i can reproduce issue described in bug 347621 comment #8

To reproduce it i'm compiling bind enabling all USE flag:

[ebuild  N    ] net-dns/bind-9.7.3  USE="berkdb dlz doc geoip gssapi idn ipv6 ldap mysql odbc postgres resolvconf ssl threads urandom xml

Anyone can reproduce?
Comment 5 Christian Ruppert (idl0r) gentoo-dev 2011-02-23 20:53:28 UTC
(In reply to comment #4)
> for me, there is a problem. In another system, i can reproduce issue described
> in bug 347621 comment #8
> 
> To reproduce it i'm compiling bind enabling all USE flag:
> 
> [ebuild  N    ] net-dns/bind-9.7.3  USE="berkdb dlz doc geoip gssapi idn ipv6
> ldap mysql odbc postgres resolvconf ssl threads urandom xml
> 
> Anyone can reproduce?
> 

Ok, got it now :)
It's fixed in CVS, 9.6.3 and 9.7.3.
Thanks! :)
Comment 6 Agostino Sarubbo gentoo-dev 2011-02-24 13:05:09 UTC
(In reply to comment #5)
> Ok, got it now :)
> It's fixed in CVS, 9.6.3 and 9.7.3.
> Thanks! :)

Works!
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-24 15:03:47 UTC
x86 stable
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-02-24 16:57:15 UTC
ppc/ppc64 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2011-02-25 18:15:14 UTC
Stable for HPPA.
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2011-02-26 09:40:24 UTC
amd64 done. Thanks Agostino
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2011-02-26 17:37:40 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-02-26 19:47:49 UTC
Thanks, everyone.

GLSA Vote: yes.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-28 22:23:16 UTC
> Sorry I totally forgot...
> Please stabilize =net-dns/bind-tools-9.7.3 too then, as it belongs together.

How do they belong together? I am running a BIND server and don't really see a need/dependency for them. 

Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-28 22:24:17 UTC
> GLSA Vote: yes.
Yes, too. Added to pending GLSA.

Comment 15 Christian Ruppert (idl0r) gentoo-dev 2011-03-01 16:37:41 UTC
(In reply to comment #13)
> > Sorry I totally forgot...
> > Please stabilize =net-dns/bind-tools-9.7.3 too then, as it belongs together.
> 
> How do they belong together? I am running a BIND server and don't really see a
> need/dependency for them. 
> 

E.g. dig, nsupdate and esp. dnssec-keygen. They often get fixes/new features etc. on bumps. But I'll file a new bug for it anyway.
Comment 16 Nico Baggus 2011-03-02 02:10:46 UTC
Stabalized?

see also: http://bugs.gentoo.org/show_bug.cgi?id=329001
build fails on amd64 with MAKEOPTS="-j3"
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:33:01 UTC
CVE-2011-0414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0414):
  ISC BIND 9.7.1 through 9.7.2-P3, when configured as an authoritative server,
  allows remote attackers to cause a denial of service (deadlock and daemon
  hang) by sending a query at the time of (1) an IXFR transfer or (2) a DDNS
  update.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2012-06-02 13:59:50 UTC
This issue was resolved and addressed in
 GLSA 201206-01 at http://security.gentoo.org/glsa/glsa-201206-01.xml
by GLSA coordinator Stefan Behte (craig).