BIND 9.5.1 Beta 1 is now available. BIND 9.5.1b1 is a beta maintenance release of BIND 9.5. URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT Please read security alert below! URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT BIND 9.5.1b1 contains the following security fixes: 2375. [security] Fully randomize UDP query ports to improve forgery resilience. [RT #17949] 2384. [security] Additional support for query port randomization (change #2375) including performance improvement and port range specification. [RT #17949, #18098] Thanks to recent work by Dan Kaminsky of IOActive, ISC has become aware of a potential attack exploiting weaknesses in the DNS protocol itself to enable the poisoning of caching recurive resolvers with spoofed data. For additional information about this vulnerability, see US-CERT (CERT VU#800113 DNS Cache Poisoning Issue). For more details on the changes to BIND, see http://www.isc.org/sw/bind/forgery-resilience.php. IF YOU ARE RUNNING BIND AS A CACHING RESOLVER YOU NEED TO TAKE ACTION. DNSSEC is the only definitive solution for this issue. Understanding that immediate DNSSEC deployment is not a realistic expectation, ISC is releasing patched versions of BIND that improve its resilience against this attack. The method used makes it harder to spoof answers to a resolver by expanding the range of UDP ports from which queries are sent by the nameserver, thereby increasing the variability of parameters in outgoing queries. BIND 9.5.1b1 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.5.1b1/bind-9.5.1b1.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.5.1b1/bind-9.5.1b1.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.5.1b1/bind-9.5.1b1.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.1b1/bind-9.5.1b1.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at <http://www.isc.org/about/openpgp/pgpkey2006.txt>. A binary kit for Windows 2000, Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.zip ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.debug.zip The PGP signature of the binary kit for Windows 2000, Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.5.1b1/BIND9.5.1b1.debug.zip.sha512.asc Changes since 9.5.0: --- 9.5.1b1 released --- 2385. [bug] A condition variable in socket.c could leak in rare error handling [RT #17968]. 2384. [security] Additional support for query port randomization (change #2375) including performance improvement and port range specification. [RT #17949, #18098] 2383. [bug] named could double queries when they resulted in SERVFAIL due to overkilling EDNS0 failure detection. [RT #18182] 2382. [doc] Add descriptions of DHCID, IPSECKEY, SPF and SSHFP to ARM. 2381. [port] dlz/mysql: support multiple install layouts for mysql. <prefix>/include/{,mysql/}mysql.h and <prefix>/lib/{,mysql/}. [RT #18152] 2380. [bug] dns_view_find() was not returning NXDOMAIN/NXRRSET proofs which, in turn, caused validation failures for insecure zones immediately below a secure zone the server was authoritative for. [RT #18112] 2379. [contrib] queryperf/gen-data-queryperf.py: removed redundant TLDs and supported RRs with TTLs [RT #17972] 2378. [bug] gssapi_functions{} had a redundant member in BIND 9.5. [RT #18169] 2377. [bug] Address race condition in dnssec-signzone. [RT #18142] 2376. [bug] Change #2144 was not complete. 2375. [security] Fully randomize UDP query ports to improve forgery resilience. [RT #17949] 2373. [bug] Default values of zone ACLs were re-parsed each time a new zone was configured, causing an overconsumption of memory. [RT #18092]
Linux since 2.6.24 independently randomizes UDP source ports if none is specified. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30
I just committed 9.4.2_p1 and 9.5.0_p1. Candidates for stabilization: =net-dns/bind-9.4.2_p1 =net-dns/bind-tools-9.4.2_p1
Arches, please test and mark stable: =net-dns/bind-9.4.2_p1 =net-dns/bind-tools-9.4.2_p1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
net-dns/bind-9.4.2_p1 USE="berkdb doc mysql ssl threads -dlz -idn -ipv6 -ldap -odbc -postgres -resolvconf (-selinux) -urandom" net-dns/bind-tools-9.4.2_p1 USE="-idn -ipv6" * Emerges on AMD64. * Works: bind runs and works (some queries were made). dig, nslookup and dnssec-keygen from bind-tools are also working. - - Portage 2.1.4.4 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r8 x86_64) ================================================================= System uname: 2.6.24-gentoo-r8 x86_64 AMD Turion(tm) 64 X2 Mobile Technology TL-56 Timestamp of tree: Tue, 08 Jul 2008 20:38:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.4.4-r13 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r2 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -Os -msse3 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=k8 -Os -msse3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://darkstar.ist.utl.pt/gentoo/ http://cesium.di.uminho.pt/pub/gentoo/" LANG="pt_PT@euro" LINGUAS="en pt pt_PT" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac acpi alsa amd64 amr amrnb amrwb bash-completion berkdb branding bzip2 cairo cli cracklib crypt cups dbus devhelp divx doc dvd dvdr emerald encode exif fam ffmpeg firefox flac fortran gd gdbm gif gimp glade glib glitz gstreamer gtk gtkspell hal hddtemp iconv ieee1394 imagemagick insecure-savers isdnlog javascript jpeg jpeg2k kde kqemu lame laptop libcaca libnotify midi mmx mmxext mp2 mp3 mp4 mpeg mplayer mudflap musicbrainz mysql ncurses nls nptl nptlonly offensive ogg opengl openmp pam pcre png pppd python quicktime readline realmedia reflection samba sdl session smp sndfile sourceview spell spl sse sse2 ssl stream svg syslog taglib tcpd threads tiff truetype type1 unicode v4l v4l2 vhosts vim-syntax vorbis wifi wmp xcomposite xfs xorg xosd xpm xscreensaver xvid zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="spca50x" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev synaptics joystick" KERNEL="linux" LCD_DEVICES="xosd" LINGUAS="en pt pt_PT" USERLAND="GNU" VIDEO_CARDS="nv nvidia none" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
If you install bind-tools first you get a collision on: /usr/share/man/man8/dnssec-keygen.8 It apparently used to belong to bind. Ideally bind-tools should block on older versions of bind. However, being a security bug I'm not sure if we normally let these issues slide...
bind triggers a repoman error - unquoted variable on line 63 (filesdir - trivial to fix). Both are ready to stable on amd64 other than the minor QA issues. I'm not sure how we normally handle QA policy vs urgency of security issues - I can commit them if this is appropriate.
ppc64 stable [ fixed quoting, too ]
x86 stable
alpha/ia64/sparc stable
amd64 stable
ppc stable
Stable on hppa.
GLSA 200807-08 thanks everyone
*** Bug 231832 has been marked as a duplicate of this bug. ***