Summary: | <net-dns/bind-{9.6.2_p3-r1,9.7.2_p3-r1}: Multiple vulnerabilities (CVE-2010-{3613,3614,3615}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | barzog, boss.gentoo, hanno, idl0r |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.isc.org/advisories | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 337638 | ||
Bug Blocks: |
Description
Tim Sammut (RETIRED)
2010-12-03 07:15:05 UTC
(In reply to comment #0) > I believe the 9.4.x > ebuilds should be replaced with an ebuild based on BIND 9.4-ESV-R4. > To be honest... I'm not sure how to version it properly. I'd like to stabilize bind-9.6.2_p3-r1 and bind-9.4.3_p5-r3 soonish and get a rid of 9.4 instead. It seems they dropped support for 9.4 except for security updates, like in this case. It's no longer listed at their download page, just left in their "archive". (In reply to comment #1) > I'd like to stabilize bind-9.6.2_p3-r1 and bind-9.4.3_p5-r3 soonish and get a > rid of 9.4 instead. > I am a little confused. You just added: *bind-9.7.2_p3-r1 (03 Dec 2010) *bind-9.6.2_p3-r1 (03 Dec 2010) *bind-9.4.3_p5-r3 (03 Dec 2010) We should stabilize bind-9.7.2_p3-r1 and bind-9.6.2_p3-r1 on amd64 since the current stable versions are vulnerable. Do you want to stabilize bind-9.4.3_p5-r3 on all stable archs? Or remove 9.4.* from the tree and stabilize bind-9.7.2_p3-r1 on all archs? Or, something else. ;) (In reply to comment #2) > (In reply to comment #1) > > I'd like to stabilize bind-9.6.2_p3-r1 and bind-9.4.3_p5-r3 soonish and get a > > rid of 9.4 instead. > > > > I am a little confused. You just added: > > *bind-9.7.2_p3-r1 (03 Dec 2010) > *bind-9.6.2_p3-r1 (03 Dec 2010) > *bind-9.4.3_p5-r3 (03 Dec 2010) > > We should stabilize bind-9.7.2_p3-r1 and bind-9.6.2_p3-r1 on amd64 since the > current stable versions are vulnerable. > > Do you want to stabilize bind-9.4.3_p5-r3 on all stable archs? Or remove 9.4.* > from the tree and stabilize bind-9.7.2_p3-r1 on all archs? Or, something else. > ;) > Ignore 9.4 there :P I'd like to stabilize bind-9.6.2_p3-r1 *and* bind-9.7.2_p3-r1 on all arches and then remove 9.4 from the tree. (In reply to comment #3) > > Ignore 9.4 there :P > I'd like to stabilize bind-9.6.2_p3-r1 *and* bind-9.7.2_p3-r1 on all arches > and then remove 9.4 from the tree. > Great, thanks. Arches, please test and mark stable: =net-dns/bind-9.7.2_p3-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" =net-dns/bind-9.6.2_p3-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" x86 stable Stable for HPPA PPC. 9.7.2 is amd64 stable - have not tested 9.6.2 checking for ODBC DLZ driver... not found configure: error: ODBC headers were not found in any of /usr /usr/local /usr/pkg; use --with-dlz-odbc=/path !!! Please attach the following file when seeking support: !!! /tmp/portage/net-dns/bind-9.6.2_p3-r1/work/bind-9.6.2-P3/config.log * ERROR: net-dns/bind-9.6.2_p3-r1 failed: * econf failed * * Call stack: * ebuild.sh, line 56: Called src_configure * environment, line 3366: Called econf '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--with-openssl' '--with-idn' '--enable-ipv6' '--with-libxml2' '--with-gssapi' '--with-dlz-filesystem' '--with-dlz-stub' '--with-dlz-postgres' '--with-dlz-mysql' '--with-dlz-bdb' '--with-dlz-ldap' '--with-dlz-odbc' '--disable-linux-caps' '--disable-threads' '--with-randomdev=/dev/urandom' '--with-geoip someone else, with +odbc, can reproduce it? Tested on SPARC, works. Stabilisation would be good. (In reply to comment #8) > checking for ODBC DLZ driver... not found > configure: error: ODBC headers were not found in any of /usr /usr/local > /usr/pkg; use --with-dlz-odbc=/path > > !!! Please attach the following file when seeking support: > !!! /tmp/portage/net-dns/bind-9.6.2_p3-r1/work/bind-9.6.2-P3/config.log > * ERROR: net-dns/bind-9.6.2_p3-r1 failed: > * econf failed > * > * Call stack: > * ebuild.sh, line 56: Called src_configure > * environment, line 3366: Called econf '--sysconfdir=/etc/bind' > '--localstatedir=/var' '--with-libtool' '--with-openssl' '--with-idn' > '--enable-ipv6' '--with-libxml2' '--with-gssapi' '--with-dlz-filesystem' > '--with-dlz-stub' '--with-dlz-postgres' '--with-dlz-mysql' '--with-dlz-bdb' > '--with-dlz-ldap' '--with-dlz-odbc' '--disable-linux-caps' '--disable-threads' > '--with-randomdev=/dev/urandom' '--with-geoip > > > someone else, with +odbc, can reproduce it? > Works for me with both versions. arm stable (In reply to comment #10) > > Works for me with both versions. > Tested in a new clean installation, same problem. It does not work for me on amd64 alpha/ia64/s390/sh/sparc stable ppc64 done amd64 done Thank you, folks. GLSA Vote: Yes, remote DoS (CVE-2010-3613). Yes, GLSA request filed. This issue was resolved and addressed in GLSA 201206-01 at http://security.gentoo.org/glsa/glsa-201206-01.xml by GLSA coordinator Stefan Behte (craig). |