| Summary: | <net-dns/bind-9.4.3_p3 Denial of Service via dynamic update request (CVE-2009-0696) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | critical | CC: | axiator, bernd, bind+disabled, davidsparks, dubkat, duncan, gentoo, Jan.Schubert, jvds, nabeken, ole+gentoo, rajiv, romans.heimanis, tais.hansen, tb, voxus |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.kb.cert.org/vuls/id/725188 | ||
| Whiteboard: | A3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Robert Buchholz (RETIRED)
2009-07-28 19:57:13 UTC
Candidates for stabilization: =net-dns/bind-9.4.3_p3 =net-dns/bind-tools-9.4.3_p3 Bumps for 9.5 and 9.6 will follow tomorrow. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" *** Bug 279515 has been marked as a duplicate of this bug. *** Stable for HPPA. + 29 Jul 2009; <chainsaw@gentoo.org> bind-9.4.3_p3.ebuild: + Marked stable on AMD64 as requested by Robert Buchholz <rbu@gentoo.org> in + security bug #279508. Tested with USE="berkdb idn ipv6 ldap resolvconf ssl + threads urandom -dlz -doc -mysql -odbc -postgres (-selinux)" on a Core2 + Duo. please mark stable for x86 - I have tested ~x86 - no problems so far! I'll raise severity as impact is critical for production systems and the exploit is public. *** Bug 279579 has been marked as a duplicate of this bug. *** x86 stable Why is not reported in Gentoo Linux Security Advisories ? (In reply to comment #10) > Why is not reported in Gentoo Linux Security Advisories ? > Because it's not stable on all arches yet. See the vulnerability treatment policy if you want more details. bind herd, are you discontinuing support for bind 9.5 ? I saw 9.6 was bumped, but not 9.5. (In reply to comment #12) > bind herd, are you discontinuing support for bind 9.5 ? I saw 9.6 was bumped, > but not 9.5. > 9.5.1_p3 is in CVS, too. And please also note that the following packages should be marked as stable: =net-dns/bind-9.4.3_p3 =net-dns/bind-tools-9.4.3_p3 therefore re-adding amd64. Marked ppc/ppc64 stable. amd64 stable i'll remov ...e ppc and ppc64 since they are done net-dns/bind-tools/bind-tools-9.4.3_p3.ebuild: RDEPEND is not explicitly assigned sparc stable CVE-2009-0696 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0696): The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1, when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an ANY record in the prerequisite section of a crafted dynamic update message, as exploited in the wild in July 2009. alpha/arm/ia64/s390/sh stable GLSA 200908-02. (In reply to comment #21) > GLSA 200908-02. > ns1 ~ # glsa-check -d 200908-02 GLSA 200908-02: BIND: Denial of Service ============================================================================ Synopsis: Dynamic Update packets can cause a Denial of Service in the BIND daemon. Announced on: August 01, 2009 Last revised on: August 01, 2009: 01 Affected package: net-dns/bind Affected archs: All Vulnerable: <9.4.3_p3 Unaffected: >=9.4.3_p3 ^^^^^^^^^^ I believe the above glsa does not alert if someone is running a vulnerable 9.5.x or 9.6.x version of bind. Minimum fixed versions for those branches are: bind-9.5.1-p3 bind-9.6.1-p1 Dave, this is correct. Unstable (~arch) ebuilds are not subject to GLSA publication. In consequence, affected/unaffected versions mentioned in a GLSA only cover the stable ebuilds. BIND 9.5 and 9.6 are not stable ebuilds in Gentoo. |
