Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 605454 (CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2016-9778)

Summary: <net-dns/{bind,bind-tools}-9.11.0_p2: Multiple vulnerabilities
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: idl0r, kfm, luke
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa cve]
Package list:
=net-dns/bind-9.11.0_p2 =net-dns/bind-tools-9.11.0_p2 =dev-libs/fstrm-0.2.0-r1 alpha arm hppa
 Runtime testing required: Yes
Bug Depends on: 615420    
Bug Blocks:    

Description Hanno Böck gentoo-dev 2017-01-12 09:43:49 UTC 
See
http://www.openwall.com/lists/oss-security/2017/01/12/1

CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2016-9778

All seem to be asserts, thus the impact is that one may be able to remotely crash servers:
https://kb.isc.org/category/74/0/10/Software-Products/BIND9/Security-Advisories/

Fixed versions are 9.9.9-P5, 9.10.4-P5, 9.11.0-P2. Please bump.
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2017-01-12 16:11:38 UTC 
net-dns/bind and net-dns/bind-tools 9.11.0_p2 has just been pushed.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-12 18:08:57 UTC 
@ Arches,

please test and mark stable:

=net-dns/bind-9.11.0_p2
=net-dns/bind-tools-9.11.0_p2
Comment 3 Stabilization helper bot gentoo-dev 2017-01-12 18:37:23 UTC 
An automated check of this bug failed - repoman reported dependency errors (15 lines truncated): 

> dependency.bad net-dns/bind/bind-9.11.0_p2.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['dev-libs/fstrm']
> dependency.bad net-dns/bind/bind-9.11.0_p2.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['dev-libs/fstrm']
> dependency.bad net-dns/bind/bind-9.11.0_p2.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['dev-libs/fstrm']
Comment 4 Stabilization helper bot gentoo-dev 2017-01-13 15:05:09 UTC 
An automated check of this bug failed - repoman reported dependency errors (1 lines truncated): 

> dependency.bad net-dns/bind/bind-9.11.0_p2.ebuild: DEPEND: arm(default/linux/arm/13.0) ['dev-libs/fstrm']
> dependency.bad net-dns/bind/bind-9.11.0_p2.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['dev-libs/fstrm']
> dependency.bad net-dns/bind/bind-9.11.0_p2.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['dev-libs/fstrm']
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-13 17:07:09 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-15 16:08:49 UTC 
ppc stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-15 22:21:04 UTC 
Stable on alpha.
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-16 10:16:21 UTC 
x86 stable
Comment 9 kfm 2017-01-18 20:21:51 UTC 
In order to maximise the timely uptake of this version by all users, I would recommend that bug 600212 be resolved as soon as is possible.
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-13 21:53:42 UTC 
Superseded by bug 608740.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-08 22:29:28 UTC 
Superseded by bug 615420.

Added to an existing GLSA.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-08-17 03:03:05 UTC 
This issue was resolved and addressed in
 GLSA 201708-01 at https://security.gentoo.org/glsa/201708-01
by GLSA coordinator Yury German (BlueKnight).