CERT wrote: ISC BIND 9 contains a vulnerability that may allow a remote, unauthenticated attacker to create a denial-of-service condition. I. Description The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). It includes support for dynamic DNS updates as specified in IETF RFC 2136. BIND 9 can crash when processing a specially-crafted dynamic update packet. II. Impact By sending a specially-crafted dynamic update packet to a BIND 9 server, a remote, unauthenticated attacker can cause a denial of service by causing BIND to crash. III. Solution Apply an update Users who obtain BIND from a third-party vendor, such as their operating system vendor, should see the systems affected portion of this document for a partial list of affected vendors. This vulnerability is addressed in ISC BIND versions 9.4.3-P3, 9.5.1-P3, and BIND 9.6.1-P1. Users of BIND from the original source distribution should upgrade to one of these versions, as appropriate.
Candidates for stabilization: =net-dns/bind-9.4.3_p3 =net-dns/bind-tools-9.4.3_p3 Bumps for 9.5 and 9.6 will follow tomorrow.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
*** Bug 279515 has been marked as a duplicate of this bug. ***
Stable for HPPA.
+ 29 Jul 2009; <chainsaw@gentoo.org> bind-9.4.3_p3.ebuild: + Marked stable on AMD64 as requested by Robert Buchholz <rbu@gentoo.org> in + security bug #279508. Tested with USE="berkdb idn ipv6 ldap resolvconf ssl + threads urandom -dlz -doc -mysql -odbc -postgres (-selinux)" on a Core2 + Duo.
please mark stable for x86 - I have tested ~x86 - no problems so far!
I'll raise severity as impact is critical for production systems and the exploit is public.
*** Bug 279579 has been marked as a duplicate of this bug. ***
x86 stable
Why is not reported in Gentoo Linux Security Advisories ?
(In reply to comment #10) > Why is not reported in Gentoo Linux Security Advisories ? > Because it's not stable on all arches yet. See the vulnerability treatment policy if you want more details.
bind herd, are you discontinuing support for bind 9.5 ? I saw 9.6 was bumped, but not 9.5.
(In reply to comment #12) > bind herd, are you discontinuing support for bind 9.5 ? I saw 9.6 was bumped, > but not 9.5. > 9.5.1_p3 is in CVS, too. And please also note that the following packages should be marked as stable: =net-dns/bind-9.4.3_p3 =net-dns/bind-tools-9.4.3_p3 therefore re-adding amd64.
Marked ppc/ppc64 stable.
amd64 stable
i'll remov
...e ppc and ppc64 since they are done
net-dns/bind-tools/bind-tools-9.4.3_p3.ebuild: RDEPEND is not explicitly assigned sparc stable
CVE-2009-0696 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0696): The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1, when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an ANY record in the prerequisite section of a crafted dynamic update message, as exploited in the wild in July 2009.
alpha/arm/ia64/s390/sh stable
GLSA 200908-02.
(In reply to comment #21) > GLSA 200908-02. > ns1 ~ # glsa-check -d 200908-02 GLSA 200908-02: BIND: Denial of Service ============================================================================ Synopsis: Dynamic Update packets can cause a Denial of Service in the BIND daemon. Announced on: August 01, 2009 Last revised on: August 01, 2009: 01 Affected package: net-dns/bind Affected archs: All Vulnerable: <9.4.3_p3 Unaffected: >=9.4.3_p3 ^^^^^^^^^^ I believe the above glsa does not alert if someone is running a vulnerable 9.5.x or 9.6.x version of bind. Minimum fixed versions for those branches are: bind-9.5.1-p3 bind-9.6.1-p1
Dave, this is correct. Unstable (~arch) ebuilds are not subject to GLSA publication. In consequence, affected/unaffected versions mentioned in a GLSA only cover the stable ebuilds. BIND 9.5 and 9.6 are not stable ebuilds in Gentoo.
