bind upstream has released two security advisories: https://kb.isc.org/article/AA-01216 https://kb.isc.org/article/AA-01217 The first is a DoS issue with recursive queries and also affects powerdns and unbound. The second only affects bind 9.10 and is related to GeoIP. 9.9.6-P1 and 9.10.1-P1 have been released.
9.10.1-P1 has been added but not fully tested yet, esp. GeoIP.
(In reply to Christian Ruppert (idl0r) from comment #1) > 9.10.1-P1 has been added but not fully tested yet, esp. GeoIP. Thanks. Please initiate stabilization once you feel it is tested sufficiently.
(In reply to Kristian Fiskerstrand from comment #2) > (In reply to Christian Ruppert (idl0r) from comment #1) > > 9.10.1-P1 has been added but not fully tested yet, esp. GeoIP. > > Thanks. Please initiate stabilization once you feel it is tested > sufficiently. Basic functionality has been tested tough I am currently not able to test GeoIP features, esp. compatibility between 9.9.x and 9.10.x since GeoIP has been officially added/merged by upstream. I think we should go with 9.10.x anyway.
Arches, please test and mark stable: =net-dns/bind-9.10.1_p1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
@titanofold: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-dns/bind/bind-9.10.1.ebuild?r1=1.4&r2=1.5 Was that keyword dropping on purpose? It was added a rev. before, by Mike. Can you restore the keywords please?
CVE-2014-8680 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8680): The GeoIP functionality in ISC BIND 9.10.0 through 9.10.1 allows remote attackers to cause a denial of service (assertion failure and named exit) via vectors related to (1) the lack of GeoIP databases for both IPv4 and IPv6, or (2) IPv6 support with certain options. CVE-2014-8500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8500): ISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.6, and 9.10.0 through 9.10.1 does not limit delegation chaining, which allows remote attackers to cause a denial of service (memory consumption and named crash) via a large or infinite number of referrals.
amd64 stable
x86 stable
Stable for HPPA.
arm stable
alpha stable
ppc stable
ppc64 stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). New GLSA Request filed.
CVE-2014-3214 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3214): The prefetch implementation in named in ISC BIND 9.10.0, when a recursive nameserver is enabled, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a DNS query that triggers a response with unspecified attributes.
Maintainer(s), it has been 30 days since request for cleanup. Please drop the vulnerable versions.
This issue was resolved and addressed in GLSA 201502-03 at http://security.gentoo.org/glsa/glsa-201502-03.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
it seems that 9.9.5-r3 is not affected.
(In reply to Mikle Kolyada from comment #20) > it seems that 9.9.5-r3 is not affected. Not as far as I'm aware, so reopening for cleanup. @maintainers: if 9.9.5-r3 is unaffected, please close this bug and file a GLSA Errata bug for GLSA-201502-03 , if not, please cleanup.
*** Bug 529474 has been marked as a duplicate of this bug. ***
9.9.x is gone from the tree now.