From: Mark_Andrews@isc.org Subject: Internet Systems Consortium Security Advisory. Date: September 5, 2006 7:36:06 PM EDT To: bind-announce@isc.org Internet Systems Consortium Security Advisory. BIND 9: Multiple DoS vulnerabilities 5 September 2006 Versions affected: BIND 9.3.0, BIND 9.3.1, BIND 9.3.2, BIND 9.3.3b1 and BIND 9.3.3rc1 BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6 and 9.4.0b1. See note for BIND 9.2.x Severity: HIGH Exploitable: Remotely Type: DoS SIG Query Processing (CVE-2006-4095): Recursive servers: Queries for SIG records will trigger a assertion failure if more than one SIG(covered) RRset is returned. Exposure can be minimized by restricting sources that can ask for recursion. Authoritative servers: If a nameserver is serving a RFC 2535 DNSSEC zone and is queried for the SIG records where the are multiple SIG(covered) RRsets (e.g. a zone apex) then named will trigger a assertion failure when it trys to construct the response. Excessive Recursive Queries INSIST failure (CVE-2006-4096): It is possible to trigger a INSIST failure by sending enough recursive queries that the response to the query arrives after all the clients looking for the response have left the recursion queue. Exposure can be minimized by restricting sources that can ask for recursion. Note for BIND 9.2.x: Code handling this path for 9.2.x has been determined to be wrong, though ISC has not been able to detect an execution path that would trigger the erroneous code in 9.2.x. Nonetheless a patch is provided. Fix: Upgrade to BIND 9.4.0b2, BIND 9.3.3rc2, BIND 9.3.2-P1, BIND 9.2.7rc1 or BIND 9.2.6-P1 (or later). These can be found via: http://www.isc.org/sw/bind/
Thanks Raviv Voxus, please bump 9.3.2-p1 please, see http://www.isc.org/sw/bind/bind9.3.php#security
Note that CVE-2006-2073 seems to be still unfixed on bug #131337.
*** Bug 146632 has been marked as a duplicate of this bug. ***
Pulling in herd.
> Note that CVE-2006-2073 seems to be still unfixed on bug #131337. yes but CVE-2006-2073, a different issue, remains unpatched and has a weaker gravity. It is very hard to exploit. BTW, this current bug can be trivially triggered, we need an update asap.
Created attachment 96326 [details, diff] bind-9.3.2-r4.ebuild.diff As I've been affected, I investigated needed steps and this small ebuild diff made it for me
> bind-9.3.2-r4.ebuild.diff thanks, i'm using it now. Bind team, please advise
committed 9.2.6-r4 and 9.3.2-r4 tested on x86 and ~amd64
Thx Konstantin. Arches please test and mark stable.
amd64 stable.
ppc stable
ppc64 stable
S P A R C S T A B L E
alpha stable.
for some reason x86 wasn't added to CC... fixing hppa, x86 pls test an mark 9.2.6-r4 and 9.3.2-r4 stable if possible
X86 stable. Bind passes collision test, 9.3.2-r4 tested in production.
HPPA team, any trouble here ?
killerfox is probably away so i took it. hppa stable.
This one is ready for GLSA.
welcome to GLSA 200609-11!