Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 368981 (CVE-2011-1922) - <net-dns/unbound-1.4.10: Remote DoS (CVE-2011-1922)
Summary: <net-dns/unbound-1.4.10: Remote DoS (CVE-2011-1922)
Alias: CVE-2011-1922
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2011-05-28 06:28 UTC by TANABE Ken-ichi
Modified: 2011-10-15 09:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description TANABE Ken-ichi 2011-05-28 06:28:46 UTC
From Changelog:

 - Fix assertion failure when unbound generates an empty error reply
   in response to a query, CVE-2011-1922 VU#531342.

Reproducible: Always
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-05-28 17:18:26 UTC
According to [1] this is fixed in 1.4.10.

@matsuu, thanks for putting 1.4.10 in the tree so quickly. Can we stabilize =net-dns/unbound-1.4.10? Thanks!

Comment 2 MATSUU Takuto (RETIRED) gentoo-dev 2011-05-30 01:50:27 UTC
sorry for delay.

please mark stable =net-dns/unbound-1.4.10.

unbound-1.4.8.ebuild:KEYWORDS="amd64 x86 ~x64-macos"
unbound-1.4.10.ebuild:KEYWORDS="~amd64 ~x86 ~x64-macos"
Comment 3 Andreas Schürch gentoo-dev 2011-05-30 05:43:06 UTC
Tested on x86, looks good to go here.
Comment 4 Agostino Sarubbo gentoo-dev 2011-05-30 12:06:55 UTC
amd64 ok
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2011-05-30 15:29:23 UTC

ditto Ago
Comment 6 Christoph Mende (RETIRED) gentoo-dev 2011-05-31 11:26:49 UTC
amd64 stable
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-05-31 13:32:17 UTC
x86 stable, thanks Andreas (last arch done)
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-05-31 16:46:16 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 19:56:32 UTC
CVE-2011-1922 (
  daemon/worker.c in Unbound 1.x before 1.4.10, when debugging functionality
  and the interface-automatic option are enabled, allows remote attackers to
  cause a denial of service (assertion failure and daemon exit) via a crafted
  DNS request that triggers improper error handling.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:09:36 UTC
Vote: YES. New GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-10-15 09:23:14 UTC
This issue was resolved and addressed in
 GLSA 201110-12 at
by GLSA coordinator Tobias Heinlein (keytoaster).