Summary: | <net-dns/bind{,-tools}-9.10.3_p4: Multiple vulnerabilities (CVE-2016-{1285,1286,2088}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | barzog, ercpe, floppym, halcon, idl0r, vk-gentoo-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2016-03-09 20:10:03 UTC
CVE-2016-2088 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2088): resolver.c in named in ISC BIND 9.10.x before 9.10.3-P4, when DNS cookies are enabled, allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed packet with more than one cookie option. CVE-2016-1286 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1286): named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted signature record for a DNAME record, related to db.c and resolver.c. CVE-2016-1285 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1285): named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed packet to the rndc (aka control channel) interface, related to alist.c and sexpr.c. @maintainer, please let us know if you would like to call for stabilization on 9.10.3_p4. Thanks. Any reason this has not even begun stabilization yet? There are remote vulns in here... Feel free to stabilize. Please stabilize both, =net-dns/bind-9.10.3_p4 and =net-dns/bind-tools-9.10.3_p4. Arches, please stabilize: =net-dns/bind-9.10.3_p4 =net-dns/bind-tools-9.10.3_p4. Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 amd64 stable x86 stable Stable for HPPA PPC64. arm stable alpha stable ppc stable sparc stable ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. @arches, it looks like we missed net-dns/bind-tools on this. Please stabilize: =net-dns/bind-tools-9.10.3_p4 New GLSA request filed. Stable for HPPA PPC64. ia64/ppc/sparc done. sparc stable This issue was resolved and addressed in GLSA 201610-07 at https://security.gentoo.org/glsa/201610-07 by GLSA coordinator Kristian Fiskerstrand (K_F). |