ISC BIND 9 contains a vulnerability that may allow a remote, unauthenticated attacker to create a denial-of-service condition.
The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). It includes support for dynamic DNS updates as specified in IETF RFC 2136. BIND 9 can crash when processing a specially-crafted dynamic update packet.
By sending a specially-crafted dynamic update packet to a BIND 9 server, a remote, unauthenticated attacker can cause a denial of service by causing BIND to crash.
Apply an update
Users who obtain BIND from a third-party vendor, such as their operating system vendor, should see the systems affected portion of this document for a partial list of affected vendors.
This vulnerability is addressed in ISC BIND versions 9.4.3-P3, 9.5.1-P3, and BIND 9.6.1-P1. Users of BIND from the original source distribution should upgrade to one of these versions, as appropriate.
Candidates for stabilization:
Bumps for 9.5 and 9.6 will follow tomorrow.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
*** Bug 279515 has been marked as a duplicate of this bug. ***
Stable for HPPA.
+ 29 Jul 2009; <firstname.lastname@example.org> bind-9.4.3_p3.ebuild:
+ Marked stable on AMD64 as requested by Robert Buchholz <email@example.com> in
+ security bug #279508. Tested with USE="berkdb idn ipv6 ldap resolvconf ssl
+ threads urandom -dlz -doc -mysql -odbc -postgres (-selinux)" on a Core2
please mark stable for x86 - I have tested ~x86 - no problems so far!
I'll raise severity as impact is critical for production systems and the exploit is public.
*** Bug 279579 has been marked as a duplicate of this bug. ***
Why is not reported in Gentoo Linux Security Advisories ?
(In reply to comment #10)
> Why is not reported in Gentoo Linux Security Advisories ?
Because it's not stable on all arches yet. See the vulnerability treatment policy if you want more details.
bind herd, are you discontinuing support for bind 9.5 ? I saw 9.6 was bumped, but not 9.5.
(In reply to comment #12)
> bind herd, are you discontinuing support for bind 9.5 ? I saw 9.6 was bumped,
> but not 9.5.
9.5.1_p3 is in CVS, too.
And please also note that the following packages should be marked as stable:
therefore re-adding amd64.
Marked ppc/ppc64 stable.
...e ppc and ppc64 since they are done
net-dns/bind-tools/bind-tools-9.4.3_p3.ebuild: RDEPEND is not explicitly assigned
The dns_db_findrdataset function in db.c in named in ISC BIND 9.4
before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1, when
configured as a master server, allows remote attackers to cause a
denial of service (assertion failure and daemon exit) via an ANY
record in the prerequisite section of a crafted dynamic update
message, as exploited in the wild in July 2009.
(In reply to comment #21)
> GLSA 200908-02.
ns1 ~ # glsa-check -d 200908-02
BIND: Denial of Service
Synopsis: Dynamic Update packets can cause a Denial of Service in
the BIND daemon.
Announced on: August 01, 2009
Last revised on: August 01, 2009: 01
Affected package: net-dns/bind
Affected archs: All
I believe the above glsa does not alert if someone is running a vulnerable 9.5.x or 9.6.x version of bind. Minimum fixed versions for those branches are:
Dave, this is correct. Unstable (~arch) ebuilds are not subject to GLSA publication. In consequence, affected/unaffected versions mentioned in a GLSA only cover the stable ebuilds. BIND 9.5 and 9.6 are not stable ebuilds in Gentoo.