Bug 666946 (aa-01639, CVE-2018-5740, CVE-2018-5741)

Summary:	<net-dns/bind-{9.11.4_p2, 9.12.2_p2}: assertion failure flaw in 'deny-answer-aliases'
Product:	Gentoo Security	Reporter:	D'juan McDonald (domhnall) <flopwiki>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	idl0r
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://kb.isc.org/docs/aa-01639
Whiteboard:	C3 [glsa+ cve]
Package list:		Runtime testing required:	---
Bug Depends on:	657654
Bug Blocks:

Description D'juan McDonald (domhnall) 2018-09-24 05:16:55 UTC

from $URL

Description: 

"deny-answer-aliases" is a little-used feature intended to help recursive server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers.  However, a defect in this feature makes it easy, when the feature is in use, to experience an assertion failure in name.c.

Bug URL:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908595

@maintainer(s): "ISC BIND 9.x versions prior to 9.11.4-P2 and 9.12.2-P2 are vulnerable. Not vulnerable version:

ISC Bind 9.13.3
ISC Bind 9.12.2-P2
ISC Bind 9.11.4-P2
"


Gentoo Security Padwan
(domhnall)

Comment 1 D'juan McDonald (domhnall) 2018-09-25 20:58:25 UTC

@maintainer(s): any chance versions: 9.12.2_p1, 9.12.1_p2, 9.11.2_p1 are affected?

Comment 2 D'juan McDonald (domhnall) 2018-09-25 22:58:15 UTC

adding alias and additional link for tracking purposes:

https://kb.isc.org/docs/cve-2018-5741

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-11-25 00:22:50 UTC

@maintainers, please call for stable when ready.

Comment 4 Yury German Gentoo Infrastructure

2019-03-10 00:32:15 UTC

Stabilized from Bug #657654
GLSA Vote: Yes
Added to an existing GLSA Request.

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2019-03-14 01:42:24 UTC

This issue was resolved and addressed in
 GLSA 201903-13 at https://security.gentoo.org/glsa/201903-13
by GLSA coordinator Aaron Bauman (b-man).