Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 301548 (CVE-2010-0097)

Summary: <net-dns/bind-9.4.3_p5 Cache poisoning (CVE-2009-4022,CVE-2010-0097)
Product: Gentoo Security Reporter: Rajiv Aaron Manglani (RETIRED) <rajiv>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: barzog, bind+disabled, hanno, jer
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 308035    
Bug Blocks:    

Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2010-01-19 17:57:18 UTC 
see also http://bugs.gentoo.org/show_bug.cgi?id=294497


To: bind-announce@isc.org
Date: Tue, 19 Jan 2010 17:27:49 +0000
Subject: ISC BIND 9.4.3-P5 is now available


                     BIND 9.4.3-P5 is now available.

BIND 9.4.3-P5 is a SECURITY PATCH for BIND 9.4.3.  It addresses two
potential cache poisoning vulnerabilities, both of which could allow
a validating recursive nameserver to cache data which had not been
authenticated or was invalid.

        Bugs should be reported to bind9-bugs@isc.org.

CVE identifiers: CVE-2009-4022, CVE-2010-0097
CERT advisories: VU#418861, VU#360341.

Information about these vulnerabilities can be found at:

        https://www.isc.org/advisories/CVE-2009-4022v6
        https://www.isc.org/advisories/CVE-2010-0097
Comment 1 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2010-01-19 17:58:09 UTC 
Changes since 9.4.3-P4:

2831.   [security]      Do not attempt to validate or cache
                        out-of-bailiwick data returned with a secure
                        answer; it must be re-fetched from its original
                        source and validated in that context. [RT #20819]

2828.   [security]      Cached CNAME or DNAME RR could be returned to clients
                        without DNSSEC validation. [RT #20737]

2827.   [security]      Bogus NXDOMAIN could be cached as if valid. [RT #20712]
Comment 2 Christian Ruppert (idl0r) gentoo-dev 2010-01-26 18:55:27 UTC 
bind-9.4.3_p5 and bind-9.6.1_p3 are in tree now.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-27 19:25:45 UTC 
Bind herd, is this ready for stabilization?
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 13:08:23 UTC 
CVE-2010-0097 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0097):
  ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before
  9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta does not properly
  validate DNSSEC (1) NSEC and (2) NSEC3 records, which allows remote
  attackers to add the Authenticated Data (AD) flag to a forged
  NXDOMAIN response for an existing domain.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 13:21:17 UTC 
bind herd, ping, please see comment #3.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2010-03-01 20:00:47 UTC 
(In reply to comment #3)
> Bind herd, is this ready for stabilization? 
> 

sure, let's go ...
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 20:15:34 UTC 
Arches, please test and mark stable:
=net-dns/bind-9.6.1_p3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 20:18:18 UTC 
Uh, scratch that, wrong version. This is correct:

Arches, please test and mark stable:
=net-dns/bind-9.4.3_p5
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-03-02 06:35:37 UTC 
=net-dns/bind-9.4.3_p5 is now stable on x86
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2010-03-02 15:14:07 UTC 
Stable for HPPA.
Comment 11 Brent Baude (RETIRED) gentoo-dev 2010-03-02 15:50:06 UTC 
ppc64 done
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2010-03-03 19:53:47 UTC 
alpha/arm/ia64/s390/sh/sparc, and i also took the liberty to do bind-tools.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:21:08 UTC 
Ready to vote, I vote YES.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:22:59 UTC 
Uh, we also need to wait for 308035 (CVE-2010-0290) as it seems, this fix was incomplete..
Comment 15 Markus Meier gentoo-dev 2010-03-07 14:48:02 UTC 
amd64 stable
Comment 16 Brent Baude (RETIRED) gentoo-dev 2010-03-23 19:46:24 UTC 
ppc done; closing as last arch
Comment 17 Tony Vroon (RETIRED) gentoo-dev 2010-03-23 19:54:36 UTC 
GLSA vote positive and no announcement sent yet, reopening.
Comment 18 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-29 22:16:04 UTC 
Thanks everyone, GLSA request filed.
Comment 19 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-02 21:24:25 UTC 
GLSA 201006-11