Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 605454 (CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2016-9778) - <net-dns/{bind,bind-tools}-9.11.0_p2: Multiple vulnerabilities
Summary: <net-dns/{bind,bind-tools}-9.11.0_p2: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2016-9778
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa cve]
Keywords:
Depends on: CVE-2017-3136, CVE-2017-3137, CVE-2017-3138
Blocks:
  Show dependency tree
 
Reported: 2017-01-12 09:43 UTC by Hanno Böck
Modified: 2017-08-17 03:03 UTC (History)
3 users (show)

See Also:
Package list:
=net-dns/bind-9.11.0_p2 =net-dns/bind-tools-9.11.0_p2 =dev-libs/fstrm-0.2.0-r1 alpha arm hppa
Runtime testing required: Yes
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2017-01-12 09:43:49 UTC 
See
http://www.openwall.com/lists/oss-security/2017/01/12/1

CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2016-9778

All seem to be asserts, thus the impact is that one may be able to remotely crash servers:
https://kb.isc.org/category/74/0/10/Software-Products/BIND9/Security-Advisories/

Fixed versions are 9.9.9-P5, 9.10.4-P5, 9.11.0-P2. Please bump.
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2017-01-12 16:11:38 UTC 
net-dns/bind and net-dns/bind-tools 9.11.0_p2 has just been pushed.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-12 18:08:57 UTC 
@ Arches,

please test and mark stable:

=net-dns/bind-9.11.0_p2
=net-dns/bind-tools-9.11.0_p2
Comment 3 Stabilization helper bot gentoo-dev 2017-01-12 18:37:23 UTC 
An automated check of this bug failed - repoman reported dependency errors (15 lines truncated): 

> dependency.bad net-dns/bind/bind-9.11.0_p2.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['dev-libs/fstrm']
> dependency.bad net-dns/bind/bind-9.11.0_p2.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['dev-libs/fstrm']
> dependency.bad net-dns/bind/bind-9.11.0_p2.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['dev-libs/fstrm']
Comment 4 Stabilization helper bot gentoo-dev 2017-01-13 15:05:09 UTC 
An automated check of this bug failed - repoman reported dependency errors (1 lines truncated): 

> dependency.bad net-dns/bind/bind-9.11.0_p2.ebuild: DEPEND: arm(default/linux/arm/13.0) ['dev-libs/fstrm']
> dependency.bad net-dns/bind/bind-9.11.0_p2.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['dev-libs/fstrm']
> dependency.bad net-dns/bind/bind-9.11.0_p2.ebuild: DEPEND: hppa(default/linux/hppa/13.0) ['dev-libs/fstrm']
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-13 17:07:09 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-15 16:08:49 UTC 
ppc stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-15 22:21:04 UTC 
Stable on alpha.
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-16 10:16:21 UTC 
x86 stable
Comment 9 kfm 2017-01-18 20:21:51 UTC 
In order to maximise the timely uptake of this version by all users, I would recommend that bug 600212 be resolved as soon as is possible.
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-13 21:53:42 UTC 
Superseded by bug 608740.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-08 22:29:28 UTC 
Superseded by bug 615420.

Added to an existing GLSA.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-08-17 03:03:05 UTC 
This issue was resolved and addressed in
 GLSA 201708-01 at https://security.gentoo.org/glsa/201708-01
by GLSA coordinator Yury German (BlueKnight).