References: https://www.isc.org/node/504 http://www.kb.cert.org/vuls/id/418861 https://bugzilla.redhat.com/show_bug.cgi?id=538744 Quoting from the redhat bug: "ISC reports a cache poisoning flaw reported by Michael Sinatra of UC Berkeley that may cause bind to cache replies that were not properly DNSSEC validated when recursive query was done based on uncommon client query. A nameserver with DNSSEC validation enabled may incorrectly add records to its cache from the additional section of responses received during resolution of a recursive client query. This behavior only occurs when processing client queries with checking disabled (CD) at the same time as requesting DNSSEC records (DO). This issue was reported to affect all 9.x versions and should be fixed in 9.4.3-P4, 9.5.2-P1 and 9.6.1-P2." Upgrade BIND to one of the following: 9.4.3-P4, 9.5.2-P1 or 9.6.1-P2.
Voxus, bind herd, can you provide new ebuilds?
*** Bug 294570 has been marked as a duplicate of this bug. ***
CVE-2009-4022 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4022): Unspecified vulnerability in ISC BIND 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, 9.7 beta before 9.7.0b3, and 9.0.x through 9.3.x with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks via additional sections in a response sent for resolution of a recursive client query, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)."
(In reply to comment #1) > Voxus, bind herd, can you provide new ebuilds? > Done. net-dns/bind-9.4.3_p4 and net-dns/bind-9.6.1_p2 are in tree now.
Arches, please test and mark stable: =net-dns/bind-9.4.3_p4 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
(In reply to comment #5) > Arches, please test and mark stable: > =net-dns/bind-9.4.3_p4 > Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" And =net-dns/bind-tools-9.4.3_p4 naturally.
Both stable for HPPA.
amd64/arm/x86 stable
ppc64 done
Stable for PPC.
alpha/ia64/s390/sh/sparc stable
GLSA vote: no.
ppc64 forgot about bind-tools.
got -tools for ppc64 now
jer: why do need bind-tools to go stable for a bug in bind?
(In reply to comment #15) > jer: why do need bind-tools to go stable for a bug in bind? Because, if you happen to run a named, you would want the tools' version and patch level to match the server's. Both packages are compiled from the same source tarball too.
NO too, closing.
>Because, if you happen to run a named, you would want the tools' version and >patch level to match the server's. No, why would I? diff -ur does not show differences in the tools (correct me, if I'm wrong), so why should we care to update them, too?
