| Summary: | <net-dns/bind-9.10.1_p1: DoS through recursive query loop, defect in GeoIP (CVE-2014-{3214,8500,8680}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | idl0r, pacho, titanofold |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | A3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 524148 | ||
| Bug Blocks: | |||
|
Description
Hanno Böck
2014-12-08 17:49:52 UTC
9.10.1-P1 has been added but not fully tested yet, esp. GeoIP. (In reply to Christian Ruppert (idl0r) from comment #1) > 9.10.1-P1 has been added but not fully tested yet, esp. GeoIP. Thanks. Please initiate stabilization once you feel it is tested sufficiently. (In reply to Kristian Fiskerstrand from comment #2) > (In reply to Christian Ruppert (idl0r) from comment #1) > > 9.10.1-P1 has been added but not fully tested yet, esp. GeoIP. > > Thanks. Please initiate stabilization once you feel it is tested > sufficiently. Basic functionality has been tested tough I am currently not able to test GeoIP features, esp. compatibility between 9.9.x and 9.10.x since GeoIP has been officially added/merged by upstream. I think we should go with 9.10.x anyway. Arches, please test and mark stable: =net-dns/bind-9.10.1_p1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" @titanofold: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-dns/bind/bind-9.10.1.ebuild?r1=1.4&r2=1.5 Was that keyword dropping on purpose? It was added a rev. before, by Mike. Can you restore the keywords please? CVE-2014-8680 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8680): The GeoIP functionality in ISC BIND 9.10.0 through 9.10.1 allows remote attackers to cause a denial of service (assertion failure and named exit) via vectors related to (1) the lack of GeoIP databases for both IPv4 and IPv6, or (2) IPv6 support with certain options. CVE-2014-8500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8500): ISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.6, and 9.10.0 through 9.10.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory consumption and named crash) via a large or infinite number of referrals. amd64 stable x86 stable Stable for HPPA. arm stable alpha stable ppc stable ppc64 stable ia64 stable sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). New GLSA Request filed. CVE-2014-3214 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3214): The prefetch implementation in named in ISC BIND 9.10.0, when a recursive nameserver is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a DNS query that triggers a response with unspecified attributes. Maintainer(s), it has been 30 days since request for cleanup. Please drop the vulnerable versions. This issue was resolved and addressed in GLSA 201502-03 at http://security.gentoo.org/glsa/glsa-201502-03.xml by GLSA coordinator Kristian Fiskerstrand (K_F). it seems that 9.9.5-r3 is not affected. (In reply to Mikle Kolyada from comment #20) > it seems that 9.9.5-r3 is not affected. Not as far as I'm aware, so reopening for cleanup. @maintainers: if 9.9.5-r3 is unaffected, please close this bug and file a GLSA Errata bug for GLSA-201502-03 , if not, please cleanup. *** Bug 529474 has been marked as a duplicate of this bug. *** 9.9.x is gone from the tree now. |
