Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 301548 (CVE-2010-0097) - <net-dns/bind-9.4.3_p5 Cache poisoning (CVE-2009-4022,CVE-2010-0097)
Summary: <net-dns/bind-9.4.3_p5 Cache poisoning (CVE-2009-4022,CVE-2010-0097)
Status: RESOLVED FIXED
Alias: CVE-2010-0097
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on: 308035
Blocks:
  Show dependency tree
 
Reported: 2010-01-19 17:57 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2010-06-02 21:24 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2010-01-19 17:57:18 UTC 
see also http://bugs.gentoo.org/show_bug.cgi?id=294497


To: bind-announce@isc.org
Date: Tue, 19 Jan 2010 17:27:49 +0000
Subject: ISC BIND 9.4.3-P5 is now available


                     BIND 9.4.3-P5 is now available.

BIND 9.4.3-P5 is a SECURITY PATCH for BIND 9.4.3.  It addresses two
potential cache poisoning vulnerabilities, both of which could allow
a validating recursive nameserver to cache data which had not been
authenticated or was invalid.

        Bugs should be reported to bind9-bugs@isc.org.

CVE identifiers: CVE-2009-4022, CVE-2010-0097
CERT advisories: VU#418861, VU#360341.

Information about these vulnerabilities can be found at:

        https://www.isc.org/advisories/CVE-2009-4022v6
        https://www.isc.org/advisories/CVE-2010-0097
Comment 1 Rajiv Aaron Manglani (RETIRED) gentoo-dev 2010-01-19 17:58:09 UTC 
Changes since 9.4.3-P4:

2831.   [security]      Do not attempt to validate or cache
                        out-of-bailiwick data returned with a secure
                        answer; it must be re-fetched from its original
                        source and validated in that context. [RT #20819]

2828.   [security]      Cached CNAME or DNAME RR could be returned to clients
                        without DNSSEC validation. [RT #20737]

2827.   [security]      Bogus NXDOMAIN could be cached as if valid. [RT #20712]
Comment 2 Christian Ruppert (idl0r) gentoo-dev 2010-01-26 18:55:27 UTC 
bind-9.4.3_p5 and bind-9.6.1_p3 are in tree now.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-27 19:25:45 UTC 
Bind herd, is this ready for stabilization?
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 13:08:23 UTC 
CVE-2010-0097 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0097):
  ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before
  9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta does not properly
  validate DNSSEC (1) NSEC and (2) NSEC3 records, which allows remote
  attackers to add the Authenticated Data (AD) flag to a forged
  NXDOMAIN response for an existing domain.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 13:21:17 UTC 
bind herd, ping, please see comment #3.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2010-03-01 20:00:47 UTC 
(In reply to comment #3)
> Bind herd, is this ready for stabilization? 
> 

sure, let's go ...
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 20:15:34 UTC 
Arches, please test and mark stable:
=net-dns/bind-9.6.1_p3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-01 20:18:18 UTC 
Uh, scratch that, wrong version. This is correct:

Arches, please test and mark stable:
=net-dns/bind-9.4.3_p5
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-03-02 06:35:37 UTC 
=net-dns/bind-9.4.3_p5 is now stable on x86
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2010-03-02 15:14:07 UTC 
Stable for HPPA.
Comment 11 Brent Baude (RETIRED) gentoo-dev 2010-03-02 15:50:06 UTC 
ppc64 done
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2010-03-03 19:53:47 UTC 
alpha/arm/ia64/s390/sh/sparc, and i also took the liberty to do bind-tools.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:21:08 UTC 
Ready to vote, I vote YES.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:22:59 UTC 
Uh, we also need to wait for 308035 (CVE-2010-0290) as it seems, this fix was incomplete..
Comment 15 Markus Meier gentoo-dev 2010-03-07 14:48:02 UTC 
amd64 stable
Comment 16 Brent Baude (RETIRED) gentoo-dev 2010-03-23 19:46:24 UTC 
ppc done; closing as last arch
Comment 17 Tony Vroon (RETIRED) gentoo-dev 2010-03-23 19:54:36 UTC 
GLSA vote positive and no announcement sent yet, reopening.
Comment 18 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-29 22:16:04 UTC 
Thanks everyone, GLSA request filed.
Comment 19 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-02 21:24:25 UTC 
GLSA 201006-11