Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 279508 (CVE-2009-0696) - <net-dns/bind-9.4.3_p3 Denial of Service via dynamic update request (CVE-2009-0696)
Summary: <net-dns/bind-9.4.3_p3 Denial of Service via dynamic update request (CVE-2009...
Status: RESOLVED FIXED
Alias: CVE-2009-0696
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://www.kb.cert.org/vuls/id/725188
Whiteboard: A3 [glsa]
Keywords:
: 279515 279579 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-07-28 19:57 UTC by Robert Buchholz (RETIRED)
Modified: 2009-08-10 21:59 UTC (History)
16 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-28 19:57:13 UTC
CERT wrote:

ISC BIND 9 contains a vulnerability that may allow a remote, unauthenticated attacker to create a denial-of-service condition.
I. Description
The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). It includes support for dynamic DNS updates as specified in IETF RFC 2136. BIND 9 can crash when processing a specially-crafted dynamic update packet.
II. Impact
By sending a specially-crafted dynamic update packet to a BIND 9 server, a remote, unauthenticated attacker can cause a denial of service by causing BIND to crash.
III. Solution
Apply an update

Users who obtain BIND from a third-party vendor, such as their operating system vendor, should see the systems affected portion of this document for a partial list of affected vendors.

This vulnerability is addressed in ISC BIND versions 9.4.3-P3, 9.5.1-P3, and BIND 9.6.1-P1. Users of BIND from the original source distribution should upgrade to one of these versions, as appropriate.
Comment 1 Tobias Scherbaum (RETIRED) gentoo-dev 2009-07-28 20:38:49 UTC
Candidates for stabilization:

=net-dns/bind-9.4.3_p3
=net-dns/bind-tools-9.4.3_p3

Bumps for 9.5 and 9.6 will follow tomorrow.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-07-28 20:58:06 UTC
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2009-07-28 21:11:03 UTC
*** Bug 279515 has been marked as a duplicate of this bug. ***
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-28 23:42:41 UTC
Stable for HPPA.
Comment 5 Tony Vroon (RETIRED) gentoo-dev 2009-07-29 09:57:31 UTC
+ 29 Jul 2009; <chainsaw@gentoo.org> bind-9.4.3_p3.ebuild:
+ Marked stable on AMD64 as requested by Robert Buchholz <rbu@gentoo.org> in
+ security bug #279508. Tested with USE="berkdb idn ipv6 ldap resolvconf ssl
+ threads urandom -dlz -doc -mysql -odbc -postgres (-selinux)" on a Core2
+ Duo.
Comment 6 Robert R. Richter 2009-07-29 12:28:48 UTC
please mark stable for x86 - I have tested ~x86 - no problems so far!
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-07-29 13:01:56 UTC
I'll raise severity as impact is critical for production systems and the exploit is public.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-29 13:12:43 UTC
*** Bug 279579 has been marked as a duplicate of this bug. ***
Comment 9 Markus Meier gentoo-dev 2009-07-29 21:20:08 UTC
x86 stable
Comment 10 Aleksandar Petrinic 2009-07-30 10:22:45 UTC
Why is not reported in Gentoo Linux Security Advisories ?
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2009-07-30 10:31:33 UTC
(In reply to comment #10)
> Why is not reported in Gentoo Linux Security Advisories ?
> 

Because it's not stable on all arches yet. See the vulnerability treatment policy if you want more details.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-07-30 12:27:16 UTC
bind herd, are you discontinuing support for bind 9.5 ? I saw 9.6 was bumped, but not 9.5.
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2009-07-30 15:37:25 UTC
(In reply to comment #12)
> bind herd, are you discontinuing support for bind 9.5 ? I saw 9.6 was bumped,
> but not 9.5.
> 

9.5.1_p3 is in CVS, too.

And please also note that the following packages should be marked as stable:
=net-dns/bind-9.4.3_p3
=net-dns/bind-tools-9.4.3_p3

therefore re-adding amd64.
Comment 14 Joe Jezak (RETIRED) gentoo-dev 2009-07-30 20:05:18 UTC
Marked ppc/ppc64 stable.
Comment 15 Markus Meier gentoo-dev 2009-07-30 21:11:46 UTC
amd64 stable
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2009-07-31 19:08:51 UTC
i'll remov
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2009-07-31 19:20:44 UTC
...e ppc and ppc64 since they are done
Comment 18 Tiago Cunha (RETIRED) gentoo-dev 2009-07-31 21:29:54 UTC
net-dns/bind-tools/bind-tools-9.4.3_p3.ebuild: RDEPEND is not explicitly assigned

sparc stable
Comment 19 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-01 15:07:28 UTC
CVE-2009-0696 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0696):
  The dns_db_findrdataset function in db.c in named in ISC BIND 9.4
  before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1, when
  configured as a master server, allows remote attackers to cause a
  denial of service (assertion failure and daemon exit) via an ANY
  record in the prerequisite section of a crafted dynamic update
  message, as exploited in the wild in July 2009.

Comment 20 Raúl Porcel (RETIRED) gentoo-dev 2009-08-01 19:09:27 UTC
alpha/arm/ia64/s390/sh stable
Comment 21 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-01 20:06:14 UTC
GLSA 200908-02.
Comment 22 David Sparks 2009-08-10 19:40:08 UTC
(In reply to comment #21)
> GLSA 200908-02.
> 

ns1 ~ # glsa-check -d 200908-02
                  GLSA 200908-02:
BIND: Denial of Service
============================================================================
Synopsis:          Dynamic Update packets can cause a Denial of Service in
                   the BIND daemon.
Announced on:      August 01, 2009
Last revised on:   August 01, 2009: 01

Affected package:  net-dns/bind
Affected archs:    All
Vulnerable:        <9.4.3_p3
Unaffected:        >=9.4.3_p3
                   ^^^^^^^^^^

I believe the above glsa does not alert if someone is running a vulnerable 9.5.x or 9.6.x version of bind.  Minimum fixed versions for those branches are:

bind-9.5.1-p3
bind-9.6.1-p1
Comment 23 Robert Buchholz (RETIRED) gentoo-dev 2009-08-10 21:59:03 UTC
Dave, this is correct. Unstable (~arch) ebuilds are not subject to GLSA publication. In consequence, affected/unaffected versions mentioned in a GLSA only cover the stable ebuilds. BIND 9.5 and 9.6 are not stable ebuilds in Gentoo.