Summary: | net-dns/bind < 9.4.2_p1 <9.5.0_p1 Port randomization/cache poisoning (CVE-2008-1447) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | bind+disabled, martin.holzer, rich0, stefan, tb |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://ftp.isc.org/isc/bind9/9.5.1b1/9.5.1b1 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 225885 |
Description
Robert Buchholz (RETIRED)
2008-07-08 17:43:11 UTC
Linux since 2.6.24 independently randomizes UDP source ports if none is specified. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30 I just committed 9.4.2_p1 and 9.5.0_p1. Candidates for stabilization: =net-dns/bind-9.4.2_p1 =net-dns/bind-tools-9.4.2_p1 Arches, please test and mark stable: =net-dns/bind-9.4.2_p1 =net-dns/bind-tools-9.4.2_p1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" net-dns/bind-9.4.2_p1 USE="berkdb doc mysql ssl threads -dlz -idn -ipv6 -ldap -odbc -postgres -resolvconf (-selinux) -urandom" net-dns/bind-tools-9.4.2_p1 USE="-idn -ipv6" * Emerges on AMD64. * Works: bind runs and works (some queries were made). dig, nslookup and dnssec-keygen from bind-tools are also working. - - Portage 2.1.4.4 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r8 x86_64) ================================================================= System uname: 2.6.24-gentoo-r8 x86_64 AMD Turion(tm) 64 X2 Mobile Technology TL-56 Timestamp of tree: Tue, 08 Jul 2008 20:38:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.4.4-r13 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r2 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -Os -msse3 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=k8 -Os -msse3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://darkstar.ist.utl.pt/gentoo/ http://cesium.di.uminho.pt/pub/gentoo/" LANG="pt_PT@euro" LINGUAS="en pt pt_PT" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac acpi alsa amd64 amr amrnb amrwb bash-completion berkdb branding bzip2 cairo cli cracklib crypt cups dbus devhelp divx doc dvd dvdr emerald encode exif fam ffmpeg firefox flac fortran gd gdbm gif gimp glade glib glitz gstreamer gtk gtkspell hal hddtemp iconv ieee1394 imagemagick insecure-savers isdnlog javascript jpeg jpeg2k kde kqemu lame laptop libcaca libnotify midi mmx mmxext mp2 mp3 mp4 mpeg mplayer mudflap musicbrainz mysql ncurses nls nptl nptlonly offensive ogg opengl openmp pam pcre png pppd python quicktime readline realmedia reflection samba sdl session smp sndfile sourceview spell spl sse sse2 ssl stream svg syslog taglib tcpd threads tiff truetype type1 unicode v4l v4l2 vhosts vim-syntax vorbis wifi wmp xcomposite xfs xorg xosd xpm xscreensaver xvid zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="spca50x" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev synaptics joystick" KERNEL="linux" LCD_DEVICES="xosd" LINGUAS="en pt pt_PT" USERLAND="GNU" VIDEO_CARDS="nv nvidia none" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS If you install bind-tools first you get a collision on: /usr/share/man/man8/dnssec-keygen.8 It apparently used to belong to bind. Ideally bind-tools should block on older versions of bind. However, being a security bug I'm not sure if we normally let these issues slide... bind triggers a repoman error - unquoted variable on line 63 (filesdir - trivial to fix). Both are ready to stable on amd64 other than the minor QA issues. I'm not sure how we normally handle QA policy vs urgency of security issues - I can commit them if this is appropriate. ppc64 stable [ fixed quoting, too ] x86 stable alpha/ia64/sparc stable amd64 stable ppc stable Stable on hppa. GLSA 200807-08 thanks everyone *** Bug 231832 has been marked as a duplicate of this bug. *** |