Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 556150 (CVE-2015-5477) - <net-dns/bind-9.10.2_p3: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure (CVE-2015-5477)
Summary: <net-dns/bind-9.10.2_p3: An error in handling TKEY queries can cause named to...
Status: RESOLVED FIXED
Alias: CVE-2015-5477
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://kb.isc.org/article/AA-01272
Whiteboard: A3 [glsa cve cleanup]
Keywords:
: 556326 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-07-28 19:10 UTC by dwfreed
Modified: 2015-10-18 19:52 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description dwfreed 2015-07-28 19:10:25 UTC
From the URL:

An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit.

Impact:

Both recursive and authoritative servers are vulnerable to this defect.  Additionally, exposure is not prevented by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling, before checks enforcing those boundaries.

Solution:

BIND 9 version 9.9.7-P2 and 9.10.2-P3 have been released to resolve this.
Comment 1 Agostino Sarubbo gentoo-dev 2015-07-30 13:18:51 UTC
*** Bug 556326 has been marked as a duplicate of this bug. ***
Comment 2 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-30 18:53:33 UTC
9.10.2_p3 has just been added.
Comment 3 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-30 19:04:10 UTC
(In reply to Christian Ruppert (idl0r) from comment #2)
> 9.10.2_p3 has just been added.

should we stabilize that one?
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2015-07-30 19:15:05 UTC
Arches, please stabilize:
=net-dns/bind-9.10.2_p3
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 5 Robert R. Richter 2015-07-30 22:00:25 UTC
What about Users who want to stay on the 9.9.x branch? Do you plan to release an ebuild for 9.9.7-P2 ?
Comment 6 Agostino Sarubbo gentoo-dev 2015-07-31 08:07:54 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-07-31 08:08:09 UTC
x86 stable
Comment 8 Robert R. Richter 2015-07-31 12:29:08 UTC
127.zone file under /var/bind/pri gets killed during upgrade from 9.9.5-r3
Comment 9 Tobias Klausmann gentoo-dev 2015-07-31 15:09:03 UTC
Stable on alpha.
Comment 10 Paul B. Henson 2015-08-01 03:15:23 UTC
(In reply to Robert R. Richter from comment #8)
> 127.zone file under /var/bind/pri gets killed during upgrade from 9.9.5-r3

This probably isn't the place to discuss it, but it does seem odd for it to just disappear from 9.9 to 9.10. localhost.zone is still installed. If anything, rather than losing the IPv4 reverse zone for loopback they should have added the IPv6 reverse for loopback :). I considered opening a new bug but I'm just going to add them to my local config.
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-08-01 16:30:01 UTC
ia64 stable
Comment 12 Jeroen Roovers gentoo-dev 2015-08-05 06:01:09 UTC
Stable for HPPA PPC64.
Comment 13 Markus Meier gentoo-dev 2015-08-06 04:53:31 UTC
arm stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-08-26 07:29:51 UTC
ppc stable
Comment 15 Agostino Sarubbo gentoo-dev 2015-09-06 08:33:48 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 16 Kristian Fiskerstrand gentoo-dev Security 2015-09-24 15:38:28 UTC
Added to existing GLSA
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2015-10-18 19:52:19 UTC
This issue was resolved and addressed in
 GLSA 201510-01 at https://security.gentoo.org/glsa/201510-01
by GLSA coordinator Mikle Kolyada (Zlogene).