ISC has released two advisories for BIND. https://www.isc.org/software/bind/advisories/cve-2011-2464 https://www.isc.org/software/bind/advisories/cve-2011-2465 ISC BIND 9 Remote packet Denial of Service against Authoritative and Recursive Servers A specially constructed packet will cause BIND 9 ("named") to exit, affecting DNS service. CVE: CVE-2011-2464 Document Version: 2.1 Posting date: 05 Jul 2011 Program Impacted: BIND Versions affected: 9.6.3, 9.6-ESV-R4, 9.6-ESV-R4-P1, 9.6-ESV-R5b1 9.7.0, 9.7.0-P1, 9.7.0-P2, 9.7.1, 9.7.1-P1, 9.7.1-P2, 9.7.2, 9.7.2-P1, 9.7.2-P2, 9.7.2-P3, 9.7.3, 9.7.3-P1, 9.7.3-P2, 9.7.4b1 9.8.0, 9.8.0-P1, 9.8.0-P2, 9.8.0-P3, 9.8.1b1 Severity: High Exploitable: Remotely ISC BIND 9 Remote Crash with Certain RPZ Configurations Summary: Two defects were discovered in ISC's BIND 9 code. These defects only affect BIND 9 servers which have recursion enabled and which use a specific feature of the software known as Response Policy Zones (RPZ) and where the RPZ zone contains a specific rule/action pattern. CVE: CVE-2011-2465 Document Version: 2.1 Posting date: 05 Jul 2011 Program Impacted: BIND Versions affected: 9.8.0, 9.8.0-P1, 9.8.0-P2 and 9.8.1b1 Other versions of BIND 9 not listed here are not vulnerable to this problem. Severity: High Exploitable: Remotely
net-dns/bind-9.7.3_p3 is in tree already.
Arches, please test and mark stable: =net-dns/bind-9.7.3_p3 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
looks ok here on amd64 and on a server with hardened environment, also amd64.
looks ok on my server. amd64 done. Thanks Agostino
x86 stable. Thanks
I've been running 9.7.3-p3 x86 for a couple of days without issue.
ppc/ppc64 stable
Stable for HPPA.
alpha/arm/ia64/s390/sh/sparc stable
Thanks, everyone. GLSA request filed.
CVE-2011-2465 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2465): Unspecified vulnerability in ISC BIND 9 9.8.0, 9.8.0-P1, 9.8.0-P2, and 9.8.1b1, when recursion is enabled and the Response Policy Zone (RPZ) contains DNAME or certain CNAME records, allows remote attackers to cause a denial of service (named daemon crash) via an unspecified query. CVE-2011-2464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2464): Unspecified vulnerability in ISC BIND 9 9.6.x before 9.6-ESV-R4-P3, 9.7.x before 9.7.3-P3, and 9.8.x before 9.8.0-P4 allows remote attackers to cause a denial of service (named daemon crash) via a crafted UPDATE request.
This issue was resolved and addressed in GLSA 201206-01 at http://security.gentoo.org/glsa/glsa-201206-01.xml by GLSA coordinator Stefan Behte (craig).