From upstream release notes at $URL: Security Fixes Prevents a named assert (crash) when validating caused by using "Bad cache" data before it has been initialized. [RT #30025] A condition has been corrected where improper handling of zero-length RDATA could cause undesirable behavior, including termination of the named process. [RT #29644] Also see: https://kb.isc.org/article/AA-00729 https://kb.isc.org/article/AA-00730
9.8.3-P2 and 9.9.1-P2 are in the tree now. Please prefer 9.9.1-P2 over 9.8.3-P2 in case you want to stabilize any of those versions.
(In reply to comment #1) > 9.8.3-P2 and 9.9.1-P2 are in the tree now. > Please prefer 9.9.1-P2 over 9.8.3-P2 in case you want to stabilize any of > those versions. Thanks, Christian. Arches, please test and mark stable: =net-dns/bind-9.9.1_p2 Target KEYWORDS="alpha amd64 arm hppa ia64 ~mips ppc ~ppc64 s390 sh sparc x86 ~x86-fbsd"
Stable for HPPA.
x86 stable
amd64 stable
Stable ppc/ppc64
Okay I hit this while trying to stabilize on arm, but it is going to be a problem on all arches (tested on amd64 just to be sure). If one builds openssl with USE="bindist", then openssl is built without gost support. If one then tries to build bind with USE="gost", bind configure fails with: checking for OpenSSL GOST support... no Obviously. Since this is a corner case, and we're addressing a security issue, I'll continue with arm stabilization. The maintainers may want to address this post-stabilization with some REQUIRED_USE constraint.
Stable arm
(In reply to comment #7) > Okay I hit this while trying to stabilize on arm, but it is going to be a > problem on all arches (tested on amd64 just to be sure). If one builds > openssl with USE="bindist", then openssl is built without gost support. If > one then tries to build bind with USE="gost", bind configure fails with: > > checking for OpenSSL GOST support... no > > > Obviously. > > Since this is a corner case, and we're addressing a security issue, I'll > continue with arm stabilization. The maintainers may want to address this > post-stabilization with some REQUIRED_USE constraint. The OpenSSL dependency when using GOST has been fixed in all versions to depend on openssl[-bindist].
*ping*
alpha/ia64/s390/sh/sparc stable
Thanks, folks. GLSA Vote: yes.
GLSA vote: yes. Drafted GLSA.
This issue was resolved and addressed in GLSA 201209-04 at http://security.gentoo.org/glsa/glsa-201209-04.xml by GLSA coordinator Sean Amoss (ackle).