From Changelog: - Fix assertion failure when unbound generates an empty error reply in response to a query, CVE-2011-1922 VU#531342. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1912 https://www.kb.cert.org/vuls/id/531342 Reproducible: Always
According to [1] this is fixed in 1.4.10. @matsuu, thanks for putting 1.4.10 in the tree so quickly. Can we stabilize =net-dns/unbound-1.4.10? Thanks! [1] https://www.kb.cert.org/vuls/id/531342
sorry for delay. please mark stable =net-dns/unbound-1.4.10. unbound-1.4.8.ebuild:KEYWORDS="amd64 x86 ~x64-macos" unbound-1.4.10.ebuild:KEYWORDS="~amd64 ~x86 ~x64-macos"
Tested on x86, looks good to go here.
amd64 ok
and64: ditto Ago
amd64 stable
x86 stable, thanks Andreas (last arch done)
Thanks, everyone. GLSA Vote: yes.
CVE-2011-1922 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1922): daemon/worker.c in Unbound 1.x before 1.4.10, when debugging functionality and the interface-automatic option are enabled, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted DNS request that triggers improper error handling.
Vote: YES. New GLSA request filed.
This issue was resolved and addressed in GLSA 201110-12 at http://security.gentoo.org/glsa/glsa-201110-12.xml by GLSA coordinator Tobias Heinlein (keytoaster).