Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 540640 (CVE-2015-1349) - <net-dns/bind-9.10.2_p4: Denial of Service due to issue with Trust Anchor Management (CVE-2015-1349)
Summary: <net-dns/bind-9.10.2_p4: Denial of Service due to issue with Trust Anchor Man...
Alias: CVE-2015-1349
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa cve]
Depends on:
Reported: 2015-02-19 11:29 UTC by Marc Schiffbauer
Modified: 2015-10-18 19:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marc Schiffbauer gentoo-dev 2015-02-19 11:29:38 UTC
BIND servers which are configured to perform DNSSEC validation and which are using managed-keys (which occurs implicitly when using "dnssec-validation auto;" or "dnssec-lookaside auto;") may terminate with an assertion failure when encountering all of the following conditions in a managed trust anchor:

    a key which was previously trusted is now flagged as revoked;
    there are no other trusted keys available;
    there is a standby key, but it is not trusted yet

This situation results in termination of the named process and denial of service to clients, and can occur in two circumstances:

    during an improperly-managed key rollover for one of the managed trust anchors (e.g., during a botched root key rollover), or
    when deliberately triggered by an attacker, under specific and limited circumstances. ISC has demonstrated a proof-of-concept of this attack; however, the complexity of the attack is very high unless the attacker has a specific network relationship to the BIND server which is targeted
Comment 1 Marc Schiffbauer gentoo-dev 2015-03-10 00:46:51 UTC
Seems like net-dns/bind is pretty much unmaintained... Gentoo has only these vulberable versions in tree since weeks now :-/

@idl0r: Ping? Are you too busy? Or not interested in net-dns/bind anymore?
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-06-15 00:42:15 UTC
CVE-2015-1349 (
  named in ISC BIND 9.7.0 through 9.9.6 before 9.9.6-P2 and 9.10.x before
  9.10.1-P2, when DNSSEC validation and the managed-keys feature are enabled,
  allows remote attackers to cause a denial of service (assertion failure and
  daemon exit, or daemon crash) by triggering an incorrect trust-anchor
  management scenario in which no key is ready for use.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-10-18 19:51:42 UTC
This issue was resolved and addressed in
 GLSA 201510-01 at
by GLSA coordinator Mikle Kolyada (Zlogene).
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2015-10-18 19:52:05 UTC
This issue was resolved and addressed in
 GLSA 201510-01 at
by GLSA coordinator Mikle Kolyada (Zlogene).