bind upstream has released two security advisories:
The first is a DoS issue with recursive queries and also affects powerdns and unbound. The second only affects bind 9.10 and is related to GeoIP.
9.9.6-P1 and 9.10.1-P1 have been released.
9.10.1-P1 has been added but not fully tested yet, esp. GeoIP.
(In reply to Christian Ruppert (idl0r) from comment #1)
> 9.10.1-P1 has been added but not fully tested yet, esp. GeoIP.
Thanks. Please initiate stabilization once you feel it is tested sufficiently.
(In reply to Kristian Fiskerstrand from comment #2)
> (In reply to Christian Ruppert (idl0r) from comment #1)
> > 9.10.1-P1 has been added but not fully tested yet, esp. GeoIP.
> Thanks. Please initiate stabilization once you feel it is tested
Basic functionality has been tested tough I am currently not able to test GeoIP features, esp. compatibility between 9.9.x and 9.10.x since GeoIP has been officially added/merged by upstream. I think we should go with 9.10.x anyway.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Was that keyword dropping on purpose? It was added a rev. before, by Mike. Can you restore the keywords please?
The GeoIP functionality in ISC BIND 9.10.0 through 9.10.1 allows remote
attackers to cause a denial of service (assertion failure and named exit)
via vectors related to (1) the lack of GeoIP databases for both IPv4 and
IPv6, or (2) IPv6 support with certain options.
ISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.6, and 9.10.0 through 9.10.1
does not limit delegation chaining, which allows remote attackers to cause a
denial of service (memory consumption and named crash) via a large or
infinite number of referrals.
Stable for HPPA.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).
New GLSA Request filed.
The prefetch implementation in named in ISC BIND 9.10.0, when a recursive
nameserver is enabled, allows remote attackers to cause a denial of service
(REQUIRE assertion failure and daemon exit) via a DNS query that triggers a
response with unspecified attributes.
Maintainer(s), it has been 30 days since request for cleanup.
Please drop the vulnerable versions.
This issue was resolved and addressed in
GLSA 201502-03 at http://security.gentoo.org/glsa/glsa-201502-03.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
it seems that 9.9.5-r3 is not affected.
(In reply to Mikle Kolyada from comment #20)
> it seems that 9.9.5-r3 is not affected.
Not as far as I'm aware, so reopening for cleanup.
@maintainers: if 9.9.5-r3 is unaffected, please close this bug and file a GLSA Errata bug for GLSA-201502-03 , if not, please cleanup.
*** Bug 529474 has been marked as a duplicate of this bug. ***
9.9.x is gone from the tree now.