Summary: | <net-dns/bind-9.9.4_p2: A Crafted Query Against an NSEC3-signed Zone Can Crash BIND (CVE-2014-0591) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | idl0r, mark, s390, sh+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://kb.isc.org/article/AA-01078 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2014-01-13 17:03:15 UTC
9.9.4-P2 has just been added to the tree. Arches, please test and stabilize: =net-dns/bind-9.9.4_p2 Target arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 Stable for HPPA. CVE-2014-0591 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0591): The query_findclosestnsec3 function in query.c in named in ISC BIND 9.6, 9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV before 9.6-ESV-R10-P2, allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a crafted DNS query to an authoritative nameserver that uses the NSEC3 signing feature. amd64 stable x86 stable ppc64 stable ppc stable arm stable alpha stable *** Bug 499074 has been marked as a duplicate of this bug. *** ia64 stable sparc stable. Maintainer(s), please cleanup. Security, please vote. I know s390 and sh aren't stables arches but I'll add them here anyway. So guys, please take a look at bind-9.9.4_p2 as we'll drop bind-9.9.3_p2 soonish. Hi everyone, This bug's importance is marked "Normal minor". I don't understand why, hopefully someone can explain. In my opinion the bug's priority should be more urgent. Our servers were attacked and did crash. The attacks seemed to occur at random and did not take longer than about five minutes per attack, but as a result our DNS servers did crash quite often. I don't know if squiddies attacked specifically us. At first we worked around this by creating a wrapper that kept restarting BIND a second after a crash occur. But attacks increased so we decided to bump to bind-9.9.4_p2 via our private overlay. But if the bump to p2 could occur via the Gentoo repo quickly, that would be great. Thanks. Marckus, We have a policy for setting bug's severity and priority (available at http://www.gentoo.org/security/en/vulnerability-policy.xml). A denial of service, even of high exploitability, is always of minor severity. In this case, the fixed version (9.9.4_p2) has already been committed and stabilized in CVS, so you should just be able to sync the Portage tree (emerge --sync) and emerge the newest version of bind. Thank you for your understanding! Hi Samuel, Thanks for the link providing the policy, it's much appreciated. Also I'm glad that the update has been committed, it sure is a nasty bug. Cheers Mark GLSA vote: yes. (In reply to Chris Reffett from comment #18) > GLSA vote: yes. We already have a GLSA request from prior bug. This was added to it This issue was resolved and addressed in GLSA 201401-34 at http://security.gentoo.org/glsa/glsa-201401-34.xml by GLSA coordinator Sean Amoss (ackle). Re-open for cleanup. Still need to clean up PING! Maintainer timeout. + 21 May 2014; Mikle Kolyada <zlogene@gentoo.org> -bind-9.9.3_p2.ebuild: + Drop insecure version + |