From $URL: Description: When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition. CVSS Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) Solution: If you run BIND 9.7.1 or 9.7.2, upgrade to BIND 9.7.3. Earlier versions are not vulnerable. If you run BIND 9.6.x, 9.6-ESV-Rx, or 9.4-ESV-R4, you do not need to upgrade. BIND 9.5 is End of Life and is not supported by ISC. BIND 9.8 is not vulnerable. @bind, =net-dns/bind-9.7.3 is already in the tree (thanks!). Can we move forward with stabilization?
(In reply to comment #0) > @bind, =net-dns/bind-9.7.3 is already in the tree (thanks!). Can we move > forward with stabilization? > Sure :)
(In reply to comment #1) > > Sure :) > Great, thanks. Arches, please test and mark stable: =net-dns/bind-9.7.3 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
(In reply to comment #2) > (In reply to comment #1) > > > > Sure :) > > > > Great, thanks. > > Arches, please test and mark stable: > =net-dns/bind-9.7.3 > Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" > Sorry I totally forgot... Please stabilize =net-dns/bind-tools-9.7.3 too then, as it belongs together.
for me, there is a problem. In another system, i can reproduce issue described in bug 347621 comment #8 To reproduce it i'm compiling bind enabling all USE flag: [ebuild N ] net-dns/bind-9.7.3 USE="berkdb dlz doc geoip gssapi idn ipv6 ldap mysql odbc postgres resolvconf ssl threads urandom xml Anyone can reproduce?
(In reply to comment #4) > for me, there is a problem. In another system, i can reproduce issue described > in bug 347621 comment #8 > > To reproduce it i'm compiling bind enabling all USE flag: > > [ebuild N ] net-dns/bind-9.7.3 USE="berkdb dlz doc geoip gssapi idn ipv6 > ldap mysql odbc postgres resolvconf ssl threads urandom xml > > Anyone can reproduce? > Ok, got it now :) It's fixed in CVS, 9.6.3 and 9.7.3. Thanks! :)
(In reply to comment #5) > Ok, got it now :) > It's fixed in CVS, 9.6.3 and 9.7.3. > Thanks! :) Works!
x86 stable
ppc/ppc64 stable
Stable for HPPA.
amd64 done. Thanks Agostino
alpha/arm/ia64/s390/sh/sparc stable
Thanks, everyone. GLSA Vote: yes.
> Sorry I totally forgot... > Please stabilize =net-dns/bind-tools-9.7.3 too then, as it belongs together. How do they belong together? I am running a BIND server and don't really see a need/dependency for them.
> GLSA Vote: yes. Yes, too. Added to pending GLSA.
(In reply to comment #13) > > Sorry I totally forgot... > > Please stabilize =net-dns/bind-tools-9.7.3 too then, as it belongs together. > > How do they belong together? I am running a BIND server and don't really see a > need/dependency for them. > E.g. dig, nsupdate and esp. dnssec-keygen. They often get fixes/new features etc. on bumps. But I'll file a new bug for it anyway.
Stabalized? see also: http://bugs.gentoo.org/show_bug.cgi?id=329001 build fails on amd64 with MAKEOPTS="-j3"
CVE-2011-0414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0414): ISC BIND 9.7.1 through 9.7.2-P3, when configured as an authoritative server, allows remote attackers to cause a denial of service (deadlock and daemon hang) by sending a query at the time of (1) an IXFR transfer or (2) a DDNS update.
This issue was resolved and addressed in GLSA 201206-01 at http://security.gentoo.org/glsa/glsa-201206-01.xml by GLSA coordinator Stefan Behte (craig).