From http://www.openwall.com/lists/oss-security/2015/12/15/15: CVE: CVE-2015-8461 Document Version: 2.0 Posting date: 15 December 2015 Program Impacted: BIND Versions affected: 9.9.8 -> 9.9.8-P1, 9.9.8-S1 -> 9.9.8-S2, 9.10.3 -> 9.10.3-P1 Severity: Medium Exploitable: Remotely Description: Beginning with the September 2015 maintenance releases 9.9.8 and 9.10.3, an error was introduced into BIND 9 which can cause a server to exit after encountering an INSIST assertion failure in resolver.c Impact: An uncommonly occurring condition can cause affected servers to exit with an INSIST failure depending on the outcome of a race condition in resolver.c While difficult to exploit reliably, a malicious party could, through deliberate behavior, significantly increase the probability of encountering the triggering condition, resulting in denial-of-service to clients if successful. CVSS Score: 5.4 CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:C) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:H/Au:N/C:N/I:N/A:C) Workarounds: None. Active exploits: None known. Solution: Upgrade to the patched release most closely related to your current version of BIND. Public open-source branches can be downloaded from http://www.isc.org/downloads. BIND 9 version 9.9.8-P2 BIND 9 version 9.10.3-P2 From http://www.openwall.com/lists/oss-security/2015/12/15/14: CVE: CVE-2015-8000 Document Version: 2.0 Posting date: 15 December 2015 Program Impacted: BIND Versions affected: 9.0.x -> 9.9.8, 9.10.0 -> 9.10.3 Severity: Critical Exploitable: Remotely Description: An error in the parsing of incoming responses allows some records with an incorrect class to be accepted by BIND instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. Intentional exploitation of this condition is possible and could be used as a denial-of-service vector against servers performing recursive queries. Impact: An attacker who can cause a server to request a record with a malformed class attribute can use this bug to trigger a REQUIRE assertion in db.c, causing named to exit and denying service to clients. The risk to recursive servers is high. Authoritative servers are at limited risk if they perform authentication when making recursive queries to resolve addresses for servers listed in NS RRSETs. CVSS Score: 7.1 CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:C) Workarounds: None. Active exploits: No known active exploits. Solution: Upgrade to the patched release most closely related to your current version of BIND. Public open-source branches can be downloaded from http://www.isc.org/downloads. BIND 9 version 9.9.8-P2 BIND 9 version 9.10.3-P2 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
net-dns/bind-9.10.3_p2 and net-dns/bind-tools-9.10.3_p2 have been added. Please stabilize both together, net-dns/bind and net-dns/bind-tools, if you'd like to stabilize the fixed version.
Arches, please test and mark stable: =net-dns/bind-9.10.3_p2 =net-dns/bind-tools-9.10.3_p2 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Thank you!
Depends on =dev-libs/libressl-2.2.5 which is ~amd64 [ebuild R ~] net-dns/bind-tools-9.10.3_p2::gentoo USE="ipv6 libressl* readline seccomp ssl -doc -gost -gssapi -idn -uran dom -xml" 0 KiB
Stable for HPPA PPC64.
(In reply to Craig Inches from comment #3) > Depends on =dev-libs/libressl-2.2.5 which is ~amd64 That's why it's masked in profiles/base/use.stable.mask, so it doesn't matter.
(In reply to Jeroen Roovers from comment #5) > (In reply to Craig Inches from comment #3) > > Depends on =dev-libs/libressl-2.2.5 which is ~amd64 > > That's why it's masked in profiles/base/use.stable.mask, so it doesn't > matter. Then AMD64 OK
amd64 stable
x86 done
arm stable
sparc stable
alpha stable
ia64 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
@maintainer(s), please cleanup the vulnerable versions.
=net-dns/bind-tools-9.10.1_p1 remains in the tree. Unsupported arches remain unstable for 9.10.1_p2. Please let us know if you can clean or need to stabilize the remaining arches.
Cleaned: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2520af104c2969db12f4c37995e2886a0a835be