ISC is planning on announcing a vulnerability tomorrow (2015-06-30)
around 1000 PDT (1700 UTC).
CVE-2015-4620: Specially Constructed Zone Data Can Cause a Resolver
to Crash when Validating, affecting BIND versions 9.7.1+
Please refrain from public announcement and publication of new packages
until after we have made our public announcement.
The BIND 9.9.7-P1 and 9.10.2-P2 versions will include the fix for this
issue. A patch to correct this issue is also attached to this message
which may be used to build replacement BIND packages for your users.
Created attachment 405968 [details]
Public announcement has been postponed.
This issue is now public via https://kb.isc.org/article/AA-01267/:
Fixed upstream in versions 9.9.7-P1 and 9.10.2-P2:
9.10.2-P2 has been added. if you want to stabilize then please stabilize bind as well as bind-tools 9.10.2_p2.
(In reply to Christian Ruppert (idl0r) from comment #4)
> 9.10.2-P2 has been added. if you want to stabilize then please stabilize
> bind as well as bind-tools 9.10.2_p2.
Thanks for adding
Arches, please stabilize:
target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Stable for HPPA PPC64.
Stable on alpha.
name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x
before 9.10.2-P2, when configured as a recursive resolver with DNSSEC
validation, allows remote attackers to cause a denial of service (REQUIRE
assertion failure and daemon exit) by constructing crafted zone data and
then making a query for a name in that zone.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
I am drafting this now.
Arches and Maintainer(s), Thank you for your work.
This issue was resolved and addressed in
GLSA 201510-01 at https://security.gentoo.org/glsa/201510-01
by GLSA coordinator Mikle Kolyada (Zlogene).