Bug 186556 - net-dns/bind < 9.4.1_p1 multiple vulnerabilities (CVE-2007-2925, CVE-2007-2926)
|
Bug#:
186556
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: minor
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: wschlich@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://www.isc.org/sw/bind/bind-security.php
|
|
Summary: net-dns/bind < 9.4.1_p1 multiple vulnerabilities (CVE-2007-2925, CVE-2007-2926)
|
|
Keywords:
|
|
Status Whiteboard: B4 [glsa] p-y
|
|
Opened: 2007-07-25 08:36 0000
|
CVE-2007-2925: allow-query-cache/allow-recursion default acls not set.
CVE-2007-2926: cryptographically weak query ids
pardon me, but will anyone take care of this?
This bug has been here for 2 days,
(In reply to comment #1)
> pardon me, but will anyone take care of this?
> This bug has been here for 2 days,
Yeah, but we are quite understaffed atm, plus it's holidays so we're doing what
we can here.
@bind: please bump as necessary.
Thanks a lot Tobias.
Hi arches, please test and mark stable bind-9.4.1_p1
Additionally, but it is not needed for a possible GLSA, arm and s390 will have
to keyword bind-9.4.* if they want to be safe, unless someone backports the
fix.
(In reply to comment #4)
> Hi arches, please test and mark stable bind-9.4.1_p1
Plus the corresponding bind-tools-9.4.1_p1 ;)
net-dns/bind-9.4.1_p1 USE="berkdb mysql ssl threads -dlz -doc -idn -ipv6 -ldap
-odbc -postgres -resolvconf (-selinux) -urandom"
net-dns/bind-tools-9.4.1_p1 USE="-idn -ipv6"
1. Emerges on AMD64.
2. No collisions etc.
3. Works.
It have not been in the tree for long, but this corrects security issues. I
have upgraded it on my server and it have been running for around 3 hours
without problems. Please mark stable on AMD64.
Portage 2.1.2.9 (default-linux/amd64/2006.1, gcc-4.1.2, glibc-2.5-r4,
2.6.19-gentoo-r5 x86_64)
=================================================================
System uname: 2.6.19-gentoo-r5 x86_64 AMD Athlon(tm) 64 Processor 3500+
Gentoo Base System release 1.12.9
Timestamp of tree: Fri, 27 Jul 2007 21:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[enabled]
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.32
dev-lang/python: 2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache: 2.4-r7
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.61
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool: 1.5.23b
virtual/os-headers: 2.6.21
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O2 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=athlon64 -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer
multilib-strict sandbox sfperms strict test"
GENTOO_MIRRORS="http://gentoo.intergenia.de http://ftp.du.se/pub/os/gentoo
http://mirror.uni-c.dk/pub/gentoo/ http://ftp.lug.ro/gentoo/
http://trumpetti.atm.tut.fi/gentoo/"
LC_ALL="en_DK.utf-8"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa amd64 apache2 berkdb bitmap-fonts cdr cli cracklib
crypt cups dga directfb dri dts dvd dvdr dvdread encode fbcn ffmpeg fortran gd
gdbm gif gpm iconv isdnlog ivtv jpeg libg++ lirc lm_sensors midi mjpeg mp3 mpeg
mplayer mudflap mysql ncurses nls nptl nptlonly nvidia ogg oggvorbis opengl
openmp pam pcre perl png ppds pppd python readline reflection samba session spl
ssl tcpd test threads tiff transcode truetype truetype-fonts type1-fonts
unicode vorbis x264 xorg xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp
atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801
hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem
ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug
file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate
route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
mtxorb ncurses text" LIRC_DEVICES="hauppauge" USERLAND="GNU"
VIDEO_CARDS="nvidia"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS,
PORTDIR_OVERLAY
How can this be seen as a minor issue? Just because ISC plays it down!? Quite
the opposite, imho.
Please read http://www.trusteer.com/docs/bind9dns_s.html, summary below.
DNS cache poisoning is a very potent attack, made possible (in the case of BIND
9) by a flawed implementation of the DNS server, enabling an attacker to
predict DNS transaction IDs. With DNS cache poisoning, an attacker can redirect
traffic originally destined to a host name, to an IP address under his/her
control, thus effectively conducting a large-scale pharming attack affecting
all clients of the DNS server (ISP-wide or enterprise-wide).
agreed, but currently this kind of attack isn't explicitely mentioned in our
policy, maybe we should think about updating it to take that into account.
cc'ing amd64 again, you forgot to stable bind-tools too.
Btw, time vor glsa vote, and obviously voting yes :)
net-dns/bind-tools-9.4.1_p1 USE="ipv6 -idn"
1. Emerges on AMD64.
2. No collisions.
3. Test phase ok.
4. Works (can't test nsupdate) - and tested with net-analyzer/gnome-nettool
rdep.
Portage 2.1.2.9 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4,
2.6.20-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.20-gentoo-r8 x86_64 Intel(R) Pentium(R) D CPU 3.00GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Mon, 30 Jul 2007 07:50:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python: 2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache: 2.4-r7
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.61
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool: 1.5.23b
virtual/os-headers: 2.6.21
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=nocona -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/init.d
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=nocona -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="-k"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict
parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="ftp://mirrors1.netvisao.pt/gentoo
http://darkstar.ist.utl.pt/pub/gentoo http://distfiles.gentoo.org
http://www.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X acl acpi alsa amd64 apache2 arts bash-completion bitmap-fonts cairo cdr
cli cracklib crypt dbus dri dts dvd dvdr dvdread emboss encode evo fam firefox
flac fortran gif gnome gpm gtk hal iconv ipv6 isdnlog jpeg kde kdeenablefinal
kdehiddenvisibility libg++ mad midi mikmod mmx mp3 mpeg mudflap musepack
musicbrainz mysql ncurses nptl nptlonly offensive ogg opengl openmp pam pcre
pdf perl png postgres pppd python qt3 qt3support qt4 quicktime readline
reflection sdl session spell spl sse sse2 ssl svg tcpd test tiff truetype
truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv
zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci
emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m
maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses
text" USERLAND="GNU" VIDEO_CARDS="i810"
Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS,
PORTDIR_OVERLAY
Definitely, I vote yes. Request filed.
it's GLSA 200708-13, thanks everybody
