Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 368863 (CVE-2011-1910) - <net-dns/bind-9.7.3_p1: RRSIG RRsets negative lookup DoS (CVE-2011-1910)
Summary: <net-dns/bind-9.7.3_p1: RRSIG RRsets negative lookup DoS (CVE-2011-1910)
Status: RESOLVED FIXED
Alias: CVE-2011-1910
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.isc.org/software/bind/advi...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-27 09:01 UTC by Alex Legler (RETIRED)
Modified: 2012-06-02 13:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2011-05-27 09:01:52 UTC
From $URL:

A BIND 9 DNS server set up to be a caching resolver is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache a response. This can cause the BIND 9 DNS server (named process) to crash. 

Versions affected: 
9.4-ESV-R3 and later, 9.6-ESV-R2 and later, 9.6.3, 9.7.1 and later, 9.8.0 and later

Solution: 

Upgrade to: 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 or 9.8.0-P2:
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2011-05-27 18:53:56 UTC
I just added 9.7.3_p1 and 9.8.0_p2.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-05-27 18:59:14 UTC
Arches, please test and mark stable:
=net-dns/bind-9.7.3_p1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-05-27 20:14:06 UTC
>>> Preparing source in /tmp/portage/net-dns/bind-9.7.3_p1/work/bind-9.7.3-P1 ...
 * Applying bind-dlzmysql5-reconnect.patch ...
 [ ok ]

 * Cannot find $EPATCH_SOURCE!  Value for $EPATCH_SOURCE is:
 * 
 *   /usr/portage/net-dns/bind/files/bind-9.7.3_p1-odbc-dlz-detect.patch
 *   ( bind-9.7.3_p1-odbc-dlz-detect.patch )

 * ERROR: net-dns/bind-9.7.3_p1 failed (prepare phase):
 *   Cannot find $EPATCH_SOURCE!
 * 
 * Call stack:
 *     ebuild.sh, line   56:  Called src_prepare
 *   environment, line 3280:  Called epatch '/usr/portage/net-dns/bind/files/bind-9.7.3_p1-odbc-dlz-detect.patch
Comment 4 Christian Ruppert (idl0r) gentoo-dev 2011-05-27 21:58:07 UTC
Fixed in CVS, sorry.
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2011-05-27 22:28:30 UTC
looks ok on my server. amd64 done
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-05-28 07:36:37 UTC
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2011-05-28 16:59:27 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-28 20:52:39 UTC
ppc/ppc64 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2011-05-30 00:16:13 UTC
Stable for HPPA.
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-05-30 00:21:25 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2011-06-13 16:59:20 UTC
CVE-2011-1910 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1910):
  Off-by-one error in named in ISC BIND 9.x before 9.7.3-P1, 9.8.x before
  9.8.0-P2, 9.4-ESV before 9.4-ESV-R4-P1, and 9.6-ESV before 9.6-ESV-R4-P1
  allows remote DNS servers to cause a denial of service (assertion failure
  and daemon exit) via a negative response containing large RRSIG RRsets.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:44:54 UTC
Vote: YES. Added to pending GLSA request.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-06-02 13:59:56 UTC
This issue was resolved and addressed in
 GLSA 201206-01 at http://security.gentoo.org/glsa/glsa-201206-01.xml
by GLSA coordinator Stefan Behte (craig).