Quoting from the redhat bug:
"ISC reports a cache poisoning flaw reported by Michael Sinatra of UC Berkeley
that may cause bind to cache replies that were not properly DNSSEC validated
when recursive query was done based on uncommon client query.
A nameserver with DNSSEC validation enabled may incorrectly add records
to its cache from the additional section of responses received during
resolution of a recursive client query. This behavior only occurs when
processing client queries with checking disabled (CD) at the same time
as requesting DNSSEC records (DO).
This issue was reported to affect all 9.x versions and should be fixed in
9.4.3-P4, 9.5.2-P1 and 9.6.1-P2."
Upgrade BIND to one of the following: 9.4.3-P4, 9.5.2-P1 or 9.6.1-P2.
Voxus, bind herd, can you provide new ebuilds?
*** Bug 294570 has been marked as a duplicate of this bug. ***
Unspecified vulnerability in ISC BIND 9.4 before 9.4.3-P4, 9.5 before
9.5.2-P1, 9.6 before 9.6.1-P2, 9.7 beta before 9.7.0b3, and 9.0.x
through 9.3.x with DNSSEC validation enabled and checking disabled
(CD), allows remote attackers to conduct DNS cache poisoning attacks
via additional sections in a response sent for resolution of a
recursive client query, which is not properly handled when the
response is processed "at the same time as requesting DNSSEC records
(In reply to comment #1)
> Voxus, bind herd, can you provide new ebuilds?
net-dns/bind-9.4.3_p4 and net-dns/bind-9.6.1_p2 are in tree now.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
(In reply to comment #5)
> Arches, please test and mark stable:
> Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
And =net-dns/bind-tools-9.4.3_p4 naturally.
Both stable for HPPA.
Stable for PPC.
GLSA vote: no.
ppc64 forgot about bind-tools.
got -tools for ppc64 now
jer: why do need bind-tools to go stable for a bug in bind?
(In reply to comment #15)
> jer: why do need bind-tools to go stable for a bug in bind?
Because, if you happen to run a named, you would want the tools' version and patch level to match the server's. Both packages are compiled from the same source tarball too.
NO too, closing.
>Because, if you happen to run a named, you would want the tools' version and
>patch level to match the server's.
No, why would I?
diff -ur does not show differences in the tools (correct me, if I'm wrong), so why should we care to update them, too?