Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 309117 - <net-dns/unbound-1.4.3 - remote DoS (CVE-2010-0969)
Summary: <net-dns/unbound-1.4.3 - remote DoS (CVE-2010-0969)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.unbound.net/download.html
Whiteboard: B3 [glsa]
Keywords:
Depends on: 299016
Blocks:
  Show dependency tree
 
Reported: 2010-03-12 11:45 UTC by Doktor Notor
Modified: 2011-10-15 09:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Doktor Notor 2010-03-12 11:45:02 UTC 
From 1.4.3 Changelog:

Fix for memory alignment in struct sock_list allocation. This is a remote denial of service vulnerability, as it could make unbound crash on 64bit systems if triggered.
Comment 1 MATSUU Takuto (RETIRED) gentoo-dev 2010-03-12 12:47:29 UTC 
1.4.3 in cvs now.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-18 00:24:07 UTC 
Is this ok to go stable?
Comment 3 MATSUU Takuto (RETIRED) gentoo-dev 2010-03-18 07:06:41 UTC 
sorry,
please mark stable =net-dns/unbound-1.4.3
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-18 12:52:48 UTC 
wdiff is missing for tests.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-18 16:33:29 UTC 
(In reply to comment #4)
> wdiff is missing for tests.

 I added it.
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-18 16:39:18 UTC 
x86 stable
Comment 7 Markus Meier gentoo-dev 2010-03-29 21:55:00 UTC 
amd64 stable, all arches done.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-29 22:07:05 UTC 
Vote: yes
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-03-31 19:46:25 UTC 
CVE-2010-0969 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0969):
  Unbound before 1.4.3 does not properly align structures on 64-bit
  platforms, which allows remote attackers to cause a denial of service
  (daemon crash) via unspecified vectors.
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-14 14:52:30 UTC 
YES too, request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-10-15 09:23:11 UTC 
This issue was resolved and addressed in
 GLSA 201110-12 at http://security.gentoo.org/glsa/glsa-201110-12.xml
by GLSA coordinator Tobias Heinlein (keytoaster).