Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 553584 (CVE-2015-4620) - <net-dns/bind-9.10.2_p2: Denial of Service via specially constructed zone data (CVE-2015-4620)
Summary: <net-dns/bind-9.10.2_p2: Denial of Service via specially constructed zone dat...
Status: RESOLVED FIXED
Alias: CVE-2015-4620
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-29 19:11 UTC by Tobias Heinlein (RETIRED)
Modified: 2015-10-18 19:52 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
bind9-patch-CVE-2015-4620 (bind9-patch-CVE-2015-4620.txt,768 bytes, text/plain)
2015-06-29 19:12 UTC, Tobias Heinlein (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2015-06-29 19:11:34 UTC
ISC is planning on announcing a vulnerability tomorrow (2015-06-30)
around 1000 PDT (1700 UTC).

  CVE-2015-4620: Specially Constructed Zone Data Can Cause a Resolver
  to Crash when Validating, affecting BIND versions 9.7.1+

Please refrain from public announcement and publication of new packages
until after we have made our public announcement.

The BIND 9.9.7-P1 and 9.10.2-P2 versions will include the fix for this 
issue. A patch to correct this issue is also attached to this message 
which may be used to build replacement BIND packages for your users.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2015-06-29 19:12:52 UTC
Created attachment 405968 [details]
bind9-patch-CVE-2015-4620
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2015-06-30 18:10:53 UTC
Public announcement has been postponed.
Comment 4 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-08 17:44:39 UTC
9.10.2-P2 has been added. if you want to stabilize then please stabilize bind as well as bind-tools 9.10.2_p2.
Comment 5 Kristian Fiskerstrand gentoo-dev Security 2015-07-08 17:49:37 UTC
(In reply to Christian Ruppert (idl0r) from comment #4)
> 9.10.2-P2 has been added. if you want to stabilize then please stabilize
> bind as well as bind-tools 9.10.2_p2.

Thanks for adding
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-09 17:04:20 UTC
Arches, please stabilize:

=net-dns/bind-9.10.2_p2

=net-dns/bind-tools-9.10.2_p2

target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-09 17:34:49 UTC
amd64 stable
Comment 8 Jeroen Roovers gentoo-dev 2015-07-11 06:27:22 UTC
Stable for HPPA PPC64.
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-11 19:00:47 UTC
x86 stable
Comment 10 Tobias Klausmann gentoo-dev 2015-07-14 19:19:20 UTC
Stable on alpha.
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-15 16:25:20 UTC
arm stable
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-07-16 12:06:50 UTC
CVE-2015-4620 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4620):
  name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x
  before 9.10.2-P2, when configured as a recursive resolver with DNSSEC
  validation, allows remote attackers to cause a denial of service (REQUIRE
  assertion failure and daemon exit) by constructing crafted zone data and
  then making a query for a name in that zone.
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-17 16:24:39 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-07-23 09:02:54 UTC
ppc stable
Comment 15 Agostino Sarubbo gentoo-dev 2015-07-23 09:39:07 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 16 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-23 15:20:16 UTC
I am drafting this now.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev Security 2015-09-08 05:34:59 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2015-10-18 19:52:11 UTC
This issue was resolved and addressed in
 GLSA 201510-01 at https://security.gentoo.org/glsa/201510-01
by GLSA coordinator Mikle Kolyada (Zlogene).