Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 294497 (CVE-2009-4022)

Summary: <net-dns/bind-9.4.3_p4 DNSSEC Cache poisoning (CVE-2009-4022)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: bind+disabled, gentoobugs, jer, voxus
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.isc.org/node/504
Whiteboard: C3? [noglsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2009-11-24 22:51:02 UTC 
References:
https://www.isc.org/node/504
http://www.kb.cert.org/vuls/id/418861
https://bugzilla.redhat.com/show_bug.cgi?id=538744

Quoting from the redhat bug:
"ISC reports a cache poisoning flaw reported by Michael Sinatra of UC Berkeley
that may cause bind to cache replies that were not properly DNSSEC validated
when recursive query was done based on uncommon client query.

  A nameserver with DNSSEC validation enabled may incorrectly add records
  to its cache from the additional section of responses received during
  resolution of a recursive client query. This behavior only occurs when
  processing client queries with checking disabled (CD) at the same time
  as requesting DNSSEC records (DO).

This issue was reported to affect all 9.x versions and should be fixed in
9.4.3-P4, 9.5.2-P1 and 9.6.1-P2."

Upgrade BIND to one of the following: 9.4.3-P4, 9.5.2-P1 or 9.6.1-P2.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-24 22:56:50 UTC 
Voxus, bind herd, can you provide new ebuilds?
Comment 2 Hanno Böck gentoo-dev 2009-11-25 14:36:55 UTC 
*** Bug 294570 has been marked as a duplicate of this bug. ***
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-26 08:26:24 UTC 
CVE-2009-4022 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4022):
  Unspecified vulnerability in ISC BIND 9.4 before 9.4.3-P4, 9.5 before
  9.5.2-P1, 9.6 before 9.6.1-P2, 9.7 beta before 9.7.0b3, and 9.0.x
  through 9.3.x with DNSSEC validation enabled and checking disabled
  (CD), allows remote attackers to conduct DNS cache poisoning attacks
  via additional sections in a response sent for resolution of a
  recursive client query, which is not properly handled when the
  response is processed "at the same time as requesting DNSSEC records
  (DO)."
Comment 4 Christian Ruppert (idl0r) gentoo-dev 2009-11-26 17:59:02 UTC 
(In reply to comment #1)
> Voxus, bind herd, can you provide new ebuilds?
> 

Done.
net-dns/bind-9.4.3_p4 and net-dns/bind-9.6.1_p2 are in tree now.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-12-02 20:45:25 UTC 
Arches, please test and mark stable:
=net-dns/bind-9.4.3_p4
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-03 02:19:41 UTC 
(In reply to comment #5)
> Arches, please test and mark stable:
> =net-dns/bind-9.4.3_p4
> Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

And =net-dns/bind-tools-9.4.3_p4 naturally.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-03 06:12:09 UTC 
Both stable for HPPA.
Comment 8 Markus Meier gentoo-dev 2009-12-03 10:56:45 UTC 
amd64/arm/x86 stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-12-08 14:36:33 UTC 
ppc64 done
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-09 15:38:33 UTC 
Stable for PPC.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2009-12-09 18:53:07 UTC 
alpha/ia64/s390/sh/sparc stable
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 02:11:52 UTC 
GLSA vote: no.
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2010-01-27 18:16:10 UTC 
ppc64 forgot about bind-tools.
Comment 14 Brent Baude (RETIRED) gentoo-dev 2010-01-27 18:41:12 UTC 
got -tools for ppc64 now
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-27 19:26:42 UTC 
jer: why do need bind-tools to go stable for a bug in bind?
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2010-01-29 04:11:46 UTC 
(In reply to comment #15)
> jer: why do need bind-tools to go stable for a bug in bind?

Because, if you happen to run a named, you would want the tools' version and patch level to match the server's. Both packages are compiled from the same source tarball too.
Comment 17 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-29 11:06:14 UTC 
NO too, closing.
Comment 18 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-29 11:38:32 UTC 
>Because, if you happen to run a named, you would want the tools' version and
>patch level to match the server's.

No, why would I?

diff -ur does not show differences in the tools (correct me, if I'm wrong), so why should we care to update them, too?