Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 738250 (CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624) - <net-dns/bind-9.16.6: Multiple vulnerabilities (CVE-2020-{8620,8621,8622,8623,8624)
Summary: <net-dns/bind-9.16.6: Multiple vulnerabilities (CVE-2020-{8620,8621,8622,8623...
Status: RESOLVED FIXED
Alias: CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623, CVE-2020-8624
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://lists.isc.org/pipermail/bind-...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks: python38-stable-needed
  Show dependency tree
 
Reported: 2020-08-20 18:41 UTC by Sam James
Modified: 2020-08-29 22:13 UTC (History)
6 users (show)

See Also:
Package list:
net-dns/bind-9.16.6 amd64 arm arm64 ppc ppc64 sparc x86 net-dns/bind-tools-9.16.6
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-08-20 18:41:54 UTC
* CVE-2020-8620

Description:
"In versions of BIND that use the libuv network manager (9.16.x is the only stable branch affected) an incorrectly specified maximum buffer size allows a specially crafted large TCP payload to trigger an assertion failure when it is received."

URL: https://kb.isc.org/docs/cve-2020-8620

* CVE-2020-8621

Description:
"While query forwarding and QNAME minimization are mutually incompatible, BIND did sometimes allow QNAME minimization when continuing with recursion after 'forward first' did not result in an answer. In these cases the data used by QNAME minimization might be inconsistent, leading to an assertion failure, causing the server to exit."

URL: https://kb.isc.org/docs/cve-2020-8621

* CVE-2020-8622

Description:
"Attempting to verify a truncated response to a TSIG-signed request leads to an assertion failure."

URL: https://kb.isc.org/docs/cve-2020-8622

* CVE-2020-8623

Description:
"If BIND is built with "--enable-native-pkcs11" then a specially crafted query for a zone signed with RSA can trigger an assertion failure."

URL: https://kb.isc.org/docs/cve-2020-8623

* CVE-2020-8624

Description:
"Change 4885 inadvertently caused "update-policy" rules of type "subdomain" to be treated as if they were of type "zonesub", allowing updates to all parts of the zone along with the intended subdomain."

URL: https://kb.isc.org/docs/cve-2020-8624
Comment 1 Sam James archtester gentoo-dev Security 2020-08-20 18:42:44 UTC
Please bump to 9.16.6. Not sure if 9.14 is still supported?
Comment 2 Larry the Git Cow gentoo-dev 2020-08-21 18:56:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e8b03442b587308a6f6a38f5cb47bd5c6df64f1c

commit e8b03442b587308a6f6a38f5cb47bd5c6df64f1c
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2020-08-21 18:54:29 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-08-21 18:56:14 +0000

    net-dns/bind-tools-9.16.6: Version bump (bug 738250)
    
    Also add myself to metadata.xml
    
    Bug: https://bugs.gentoo.org/738250
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-dns/bind-tools/Manifest                 |   1 +
 net-dns/bind-tools/bind-tools-9.16.6.ebuild | 149 ++++++++++++++++++++++++++++
 net-dns/bind-tools/metadata.xml             |   4 +
 3 files changed, 154 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=12ad14e5a4e4a40b0d847aa573743ef108d08410

commit 12ad14e5a4e4a40b0d847aa573743ef108d08410
Author:     Patrick McLean <patrick.mclean@sony.com>
AuthorDate: 2020-08-21 18:52:20 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2020-08-21 18:56:14 +0000

    net-dns/bind-9.16.6: Bump (bug 738250), rework python, GLEP 81
    
    This supports installing for multiple python implementations, as well as
    a security version bump.
    
    - Move to GLEP 81 (bug #701262)
    - Add myself to metadata.xml
    
    Bug: https://bugs.gentoo.org/738250
    Bug: https://bugs.gentoo.org/701262
    Copyright: Sony Interactive Entertainment Inc.
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Patrick McLean <chutzpah@gentoo.org>

 net-dns/bind/Manifest           |   1 +
 net-dns/bind/bind-9.16.6.ebuild | 373 ++++++++++++++++++++++++++++++++++++++++
 net-dns/bind/metadata.xml       |   4 +
 3 files changed, 378 insertions(+)
Comment 3 Sam James archtester gentoo-dev Security 2020-08-21 21:17:25 UTC
Tell us when ready to stable, thanks!

Nothing here [0] looks particularly worrisome but upstream have changed other things in security releases before, so I guess a day or two is not a bad idea.

[0] https://downloads.isc.org/isc/bind9/9.16.6/doc/arm/html/notes.html#notes-for-bind-9-16-6
Comment 4 Sam James archtester gentoo-dev Security 2020-08-24 17:27:47 UTC
x86 done
Comment 5 Sam James archtester gentoo-dev Security 2020-08-24 23:56:14 UTC
arm64 done
Comment 6 Sam James archtester gentoo-dev Security 2020-08-25 10:30:32 UTC
arm done
Comment 7 Sam James archtester gentoo-dev Security 2020-08-25 12:15:50 UTC
amd64 done
Comment 8 Sam James archtester gentoo-dev Security 2020-08-25 19:41:10 UTC
sparc done
Comment 9 Sam James archtester gentoo-dev Security 2020-08-25 19:56:35 UTC
ppc64 done
Comment 10 Rolf Eike Beer 2020-08-28 17:40:41 UTC
hppa stable
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-08-29 08:31:06 UTC
ppc stable; cleanup done.
Comment 12 John Helmert III (ajak) 2020-08-29 20:46:09 UTC
A3 -> glsa.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-08-29 22:13:09 UTC
This issue was resolved and addressed in
 GLSA 202008-19 at https://security.gentoo.org/glsa/202008-19
by GLSA coordinator Sam James (sam_c).