CVE-2007-2925: allow-query-cache/allow-recursion default acls not set. CVE-2007-2926: cryptographically weak query ids
pardon me, but will anyone take care of this? This bug has been here for 2 days,
(In reply to comment #1) > pardon me, but will anyone take care of this? > This bug has been here for 2 days, Yeah, but we are quite understaffed atm, plus it's holidays so we're doing what we can here. @bind: please bump as necessary.
As per http://article.gmane.org/gmane.linux.gentoo.devel/49788 I offered to help with bind - so here it goes. bind and bind-tools bumped to 9.4.1_p1, works for me and passes all tests.
Thanks a lot Tobias. Hi arches, please test and mark stable bind-9.4.1_p1 Additionally, but it is not needed for a possible GLSA, arm and s390 will have to keyword bind-9.4.* if they want to be safe, unless someone backports the fix.
Stable for HPPA.
sparc stable.
(In reply to comment #4) > Hi arches, please test and mark stable bind-9.4.1_p1 Plus the corresponding bind-tools-9.4.1_p1 ;)
alpha/ia64/x86 stable
ppc stable
net-dns/bind-9.4.1_p1 USE="berkdb mysql ssl threads -dlz -doc -idn -ipv6 -ldap -odbc -postgres -resolvconf (-selinux) -urandom" net-dns/bind-tools-9.4.1_p1 USE="-idn -ipv6" 1. Emerges on AMD64. 2. No collisions etc. 3. Works. It have not been in the tree for long, but this corrects security issues. I have upgraded it on my server and it have been running for around 3 hours without problems. Please mark stable on AMD64. Portage 2.1.2.9 (default-linux/amd64/2006.1, gcc-4.1.2, glibc-2.5-r4, 2.6.19-gentoo-r5 x86_64) ================================================================= System uname: 2.6.19-gentoo-r5 x86_64 AMD Athlon(tm) 64 Processor 3500+ Gentoo Base System release 1.12.9 Timestamp of tree: Fri, 27 Jul 2007 21:50:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.32 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.23b virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -O2 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=athlon64 -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict sandbox sfperms strict test" GENTOO_MIRRORS="http://gentoo.intergenia.de http://ftp.du.se/pub/os/gentoo http://mirror.uni-c.dk/pub/gentoo/ http://ftp.lug.ro/gentoo/ http://trumpetti.atm.tut.fi/gentoo/" LC_ALL="en_DK.utf-8" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acpi alsa amd64 apache2 berkdb bitmap-fonts cdr cli cracklib crypt cups dga directfb dri dts dvd dvdr dvdread encode fbcn ffmpeg fortran gd gdbm gif gpm iconv isdnlog ivtv jpeg libg++ lirc lm_sensors midi mjpeg mp3 mpeg mplayer mudflap mysql ncurses nls nptl nptlonly nvidia ogg oggvorbis opengl openmp pam pcre perl png ppds pppd python readline reflection samba session spl ssl tcpd test threads tiff transcode truetype truetype-fonts type1-fonts unicode vorbis x264 xorg xv xvid xvmc zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIRC_DEVICES="hauppauge" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
amd64 stable
ppc64 stable
How can this be seen as a minor issue? Just because ISC plays it down!? Quite the opposite, imho. Please read http://www.trusteer.com/docs/bind9dns_s.html, summary below. DNS cache poisoning is a very potent attack, made possible (in the case of BIND 9) by a flawed implementation of the DNS server, enabling an attacker to predict DNS transaction IDs. With DNS cache poisoning, an attacker can redirect traffic originally destined to a host name, to an IP address under his/her control, thus effectively conducting a large-scale pharming attack affecting all clients of the DNS server (ISP-wide or enterprise-wide).
agreed, but currently this kind of attack isn't explicitely mentioned in our policy, maybe we should think about updating it to take that into account. cc'ing amd64 again, you forgot to stable bind-tools too. Btw, time vor glsa vote, and obviously voting yes :)
I vote YES.
net-dns/bind-tools-9.4.1_p1 USE="ipv6 -idn" 1. Emerges on AMD64. 2. No collisions. 3. Test phase ok. 4. Works (can't test nsupdate) - and tested with net-analyzer/gnome-nettool rdep. Portage 2.1.2.9 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.20-gentoo-r8 x86_64) ================================================================= System uname: 2.6.20-gentoo-r8 x86_64 Intel(R) Pentium(R) D CPU 3.00GHz Gentoo Base System release 1.12.9 Timestamp of tree: Mon, 30 Jul 2007 07:50:01 +0000 ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.23b virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=nocona -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/init.d /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -march=nocona -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="-k" FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://mirrors1.netvisao.pt/gentoo http://darkstar.ist.utl.pt/pub/gentoo http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X acl acpi alsa amd64 apache2 arts bash-completion bitmap-fonts cairo cdr cli cracklib crypt dbus dri dts dvd dvdr dvdread emboss encode evo fam firefox flac fortran gif gnome gpm gtk hal iconv ipv6 isdnlog jpeg kde kdeenablefinal kdehiddenvisibility libg++ mad midi mikmod mmx mp3 mpeg mudflap musepack musicbrainz mysql ncurses nptl nptlonly offensive ogg opengl openmp pam pcre pdf perl png postgres pppd python qt3 qt3support qt4 quicktime readline reflection sdl session spell spl sse sse2 ssl svg tcpd test tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="i810" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
mips stable.
Definitely, I vote yes. Request filed.
it's GLSA 200708-13, thanks everybody