Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 368981 (CVE-2011-1922)

Summary: <net-dns/unbound-1.4.10: Remote DoS (CVE-2011-1922)
Product: Gentoo Security Reporter: TANABE Ken-ichi <nabeken>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alexanderyt, matsuu
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.unbound.net/download.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description TANABE Ken-ichi 2011-05-28 06:28:46 UTC 
From Changelog:

 - Fix assertion failure when unbound generates an empty error reply
   in response to a query, CVE-2011-1922 VU#531342.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1912
https://www.kb.cert.org/vuls/id/531342

Reproducible: Always
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-05-28 17:18:26 UTC 
According to [1] this is fixed in 1.4.10.

@matsuu, thanks for putting 1.4.10 in the tree so quickly. Can we stabilize =net-dns/unbound-1.4.10? Thanks!


[1] https://www.kb.cert.org/vuls/id/531342
Comment 2 MATSUU Takuto (RETIRED) gentoo-dev 2011-05-30 01:50:27 UTC 
sorry for delay.

please mark stable =net-dns/unbound-1.4.10.

unbound-1.4.8.ebuild:KEYWORDS="amd64 x86 ~x64-macos"
unbound-1.4.10.ebuild:KEYWORDS="~amd64 ~x86 ~x64-macos"
Comment 3 Andreas Schürch gentoo-dev 2011-05-30 05:43:06 UTC 
Tested on x86, looks good to go here.
Comment 4 Agostino Sarubbo gentoo-dev 2011-05-30 12:06:55 UTC 
amd64 ok
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2011-05-30 15:29:23 UTC 
and64:

ditto Ago
Comment 6 Christoph Mende (RETIRED) gentoo-dev 2011-05-31 11:26:49 UTC 
amd64 stable
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-05-31 13:32:17 UTC 
x86 stable, thanks Andreas (last arch done)
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-05-31 16:46:16 UTC 
Thanks, everyone. GLSA Vote: yes.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 19:56:32 UTC 
CVE-2011-1922 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1922):
  daemon/worker.c in Unbound 1.x before 1.4.10, when debugging functionality
  and the interface-automatic option are enabled, allows remote attackers to
  cause a denial of service (assertion failure and daemon exit) via a crafted
  DNS request that triggers improper error handling.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:09:36 UTC 
Vote: YES. New GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-10-15 09:23:14 UTC 
This issue was resolved and addressed in
 GLSA 201110-12 at http://security.gentoo.org/glsa/glsa-201110-12.xml
by GLSA coordinator Tobias Heinlein (keytoaster).