From $URL: <-- BIND: allow-query processed incorrectly Summary: Using "allow-query" in the "options" or "view" statements to restrict access to authoritative zones has no effect. CVE: CVE-2010-3615 CERT: VU#510208 Posting date: 01 Dec 2010 Program Impacted: BIND Versions affected: 9.7.2-P2 Severity: High Exploitable: remotely BIND: cache incorrectly allows a ncache entry and a rrsig for the same type Summary: Failure to clear existing RRSIG records when a NO DATA is negatively cached could cause subsequent lookups to crash named. CVE: CVE-2010-3613 CERT: VU#706148 Posting date: 01 Dec 2010 Program Impacted: BIND Versions affected: 9.6.2 - 9.6.2-P2, 9.6-ESV - 9.6-ESV-R2, 9.7.0 - 9.7.2-P2 Severity: High Exploitable: remotely BIND: Key algorithm rollover bug in bind9 Summary: named (acting as DNSSEC validating resolver) could incorrectly mark zone data as insecure when the zone being queried is undergoing a key algorithm rollover. CVE: CVE-2010-3614 CERT: VU#837744 Posting date: 01 Dec 2010 Program Impacted: BIND Versions affected: 9.0.x to 9.7.2-P2, 9.4-ESV to 9.4-ESV-R3, 9.6-ESV to 9.6-ESV-R2 Severity: Low Exploitable: remotely <-- Fixed versions for 9.6.x and 9.7.x are already in the tree. I believe the 9.4.x ebuilds should be replaced with an ebuild based on BIND 9.4-ESV-R4.
(In reply to comment #0) > I believe the 9.4.x > ebuilds should be replaced with an ebuild based on BIND 9.4-ESV-R4. > To be honest... I'm not sure how to version it properly. I'd like to stabilize bind-9.6.2_p3-r1 and bind-9.4.3_p5-r3 soonish and get a rid of 9.4 instead. It seems they dropped support for 9.4 except for security updates, like in this case. It's no longer listed at their download page, just left in their "archive".
(In reply to comment #1) > I'd like to stabilize bind-9.6.2_p3-r1 and bind-9.4.3_p5-r3 soonish and get a > rid of 9.4 instead. > I am a little confused. You just added: *bind-9.7.2_p3-r1 (03 Dec 2010) *bind-9.6.2_p3-r1 (03 Dec 2010) *bind-9.4.3_p5-r3 (03 Dec 2010) We should stabilize bind-9.7.2_p3-r1 and bind-9.6.2_p3-r1 on amd64 since the current stable versions are vulnerable. Do you want to stabilize bind-9.4.3_p5-r3 on all stable archs? Or remove 9.4.* from the tree and stabilize bind-9.7.2_p3-r1 on all archs? Or, something else. ;)
(In reply to comment #2) > (In reply to comment #1) > > I'd like to stabilize bind-9.6.2_p3-r1 and bind-9.4.3_p5-r3 soonish and get a > > rid of 9.4 instead. > > > > I am a little confused. You just added: > > *bind-9.7.2_p3-r1 (03 Dec 2010) > *bind-9.6.2_p3-r1 (03 Dec 2010) > *bind-9.4.3_p5-r3 (03 Dec 2010) > > We should stabilize bind-9.7.2_p3-r1 and bind-9.6.2_p3-r1 on amd64 since the > current stable versions are vulnerable. > > Do you want to stabilize bind-9.4.3_p5-r3 on all stable archs? Or remove 9.4.* > from the tree and stabilize bind-9.7.2_p3-r1 on all archs? Or, something else. > ;) > Ignore 9.4 there :P I'd like to stabilize bind-9.6.2_p3-r1 *and* bind-9.7.2_p3-r1 on all arches and then remove 9.4 from the tree.
(In reply to comment #3) > > Ignore 9.4 there :P > I'd like to stabilize bind-9.6.2_p3-r1 *and* bind-9.7.2_p3-r1 on all arches > and then remove 9.4 from the tree. > Great, thanks. Arches, please test and mark stable: =net-dns/bind-9.7.2_p3-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" =net-dns/bind-9.6.2_p3-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
x86 stable
Stable for HPPA PPC.
9.7.2 is amd64 stable - have not tested 9.6.2
checking for ODBC DLZ driver... not found configure: error: ODBC headers were not found in any of /usr /usr/local /usr/pkg; use --with-dlz-odbc=/path !!! Please attach the following file when seeking support: !!! /tmp/portage/net-dns/bind-9.6.2_p3-r1/work/bind-9.6.2-P3/config.log * ERROR: net-dns/bind-9.6.2_p3-r1 failed: * econf failed * * Call stack: * ebuild.sh, line 56: Called src_configure * environment, line 3366: Called econf '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--with-openssl' '--with-idn' '--enable-ipv6' '--with-libxml2' '--with-gssapi' '--with-dlz-filesystem' '--with-dlz-stub' '--with-dlz-postgres' '--with-dlz-mysql' '--with-dlz-bdb' '--with-dlz-ldap' '--with-dlz-odbc' '--disable-linux-caps' '--disable-threads' '--with-randomdev=/dev/urandom' '--with-geoip someone else, with +odbc, can reproduce it?
Tested on SPARC, works. Stabilisation would be good.
(In reply to comment #8) > checking for ODBC DLZ driver... not found > configure: error: ODBC headers were not found in any of /usr /usr/local > /usr/pkg; use --with-dlz-odbc=/path > > !!! Please attach the following file when seeking support: > !!! /tmp/portage/net-dns/bind-9.6.2_p3-r1/work/bind-9.6.2-P3/config.log > * ERROR: net-dns/bind-9.6.2_p3-r1 failed: > * econf failed > * > * Call stack: > * ebuild.sh, line 56: Called src_configure > * environment, line 3366: Called econf '--sysconfdir=/etc/bind' > '--localstatedir=/var' '--with-libtool' '--with-openssl' '--with-idn' > '--enable-ipv6' '--with-libxml2' '--with-gssapi' '--with-dlz-filesystem' > '--with-dlz-stub' '--with-dlz-postgres' '--with-dlz-mysql' '--with-dlz-bdb' > '--with-dlz-ldap' '--with-dlz-odbc' '--disable-linux-caps' '--disable-threads' > '--with-randomdev=/dev/urandom' '--with-geoip > > > someone else, with +odbc, can reproduce it? > Works for me with both versions.
arm stable
(In reply to comment #10) > > Works for me with both versions. > Tested in a new clean installation, same problem. It does not work for me on amd64
alpha/ia64/s390/sh/sparc stable
ppc64 done
amd64 done
Thank you, folks. GLSA Vote: Yes, remote DoS (CVE-2010-3613).
Yes, GLSA request filed.
This issue was resolved and addressed in GLSA 201206-01 at http://security.gentoo.org/glsa/glsa-201206-01.xml by GLSA coordinator Stefan Behte (craig).