Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 498016 (CVE-2014-0591) - <net-dns/bind-9.9.4_p2: A Crafted Query Against an NSEC3-signed Zone Can Crash BIND (CVE-2014-0591)
Summary: <net-dns/bind-9.9.4_p2: A Crafted Query Against an NSEC3-signed Zone Can Cras...
Alias: CVE-2014-0591
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
: 499074 (view as bug list)
Depends on:
Reported: 2014-01-13 17:03 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2014-05-30 20:16 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-01-13 17:03:15 UTC

Because of a defect in handling queries for NSEC3-signed zones, BIND can crash with an "INSIST" failure in name.c when processing queries possessing certain properties. By exploiting this defect an attacker deliberately constructing a query with the right properties could achieve denial of service against an authoritative nameserver serving NSEC3-signed zones.

Please Note: Versions of BIND 9.7 are also affected, but this branch is beyond its "end of life" (EOL) and no longer receives testing or security fixes from ISC. For current information on which versions are actively supported, please see


Authoritative nameservers serving at least one NSEC3-signed zone are vulnerable to this defect.  Recursive-only servers are not at risk.  Authoritative servers which do not serve NSEC3-signed zones are not at risk.

Solution:  Upgrade to the patched release most closely related to your current version of BIND. These can all be downloaded from

    BIND 9 version 9.6-ESV-R10-P2
    BIND 9 version 9.8.6-P2
    BIND 9 version 9.9.4-P2 

Reproducible: Always
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2014-01-13 17:11:19 UTC
9.9.4-P2 has just been added to the tree.
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2014-01-13 19:27:35 UTC
Arches, please test and stabilize:
Target arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-13 22:34:27 UTC
Stable for HPPA.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-01-14 17:05:22 UTC
CVE-2014-0591 (
  The query_findclosestnsec3 function in query.c in named in ISC BIND 9.6,
  9.7, and 9.8 before 9.8.6-P2 and 9.9 before 9.9.4-P2, and 9.6-ESV before
  9.6-ESV-R10-P2, allows remote attackers to cause a denial of service (INSIST
  assertion failure and daemon exit) via a crafted DNS query to an
  authoritative nameserver that uses the NSEC3 signing feature.
Comment 5 Agostino Sarubbo gentoo-dev 2014-01-16 20:16:10 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-01-16 20:17:54 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-01-17 20:43:34 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-01-17 20:47:21 UTC
ppc stable
Comment 9 Markus Meier gentoo-dev 2014-01-19 12:34:18 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-01-19 13:50:54 UTC
alpha stable
Comment 11 Alex Xu (Hello71) 2014-01-23 21:13:25 UTC
*** Bug 499074 has been marked as a duplicate of this bug. ***
Comment 12 Agostino Sarubbo gentoo-dev 2014-01-26 11:49:19 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-01-26 11:59:52 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 14 Christian Ruppert (idl0r) gentoo-dev 2014-01-26 16:15:33 UTC
I know s390 and sh aren't stables arches but I'll add them here anyway.
So guys, please take a look at bind-9.9.4_p2 as we'll drop bind-9.9.3_p2 soonish.
Comment 15 Mark (voidzero) 2014-01-26 18:20:32 UTC
Hi everyone,

This bug's importance is marked "Normal minor". I don't understand why, hopefully someone can explain.

In my opinion the bug's priority should be more urgent. Our servers were attacked and did crash. The attacks seemed to occur at random and did not take longer than about
five minutes per attack, but as a result our DNS servers did crash quite often. 
I don't know if squiddies attacked specifically us.

At first we worked around this by creating a wrapper that kept restarting BIND a second after a crash occur. But attacks increased so we decided to bump to bind-9.9.4_p2
via our private overlay.

But if the bump to p2 could occur via the Gentoo repo quickly, that would be great. Thanks.
Comment 16 Samuel Damashek (RETIRED) gentoo-dev 2014-01-26 18:49:45 UTC

We have a policy for setting bug's severity and priority (available at A denial of service, even of high exploitability, is always of minor severity. In this case, the fixed version (9.9.4_p2) has already been committed and stabilized in CVS, so you should just be able to sync the Portage tree (emerge --sync) and emerge the newest version of bind. Thank you for your understanding!
Comment 17 Mark (voidzero) 2014-01-26 23:03:41 UTC
Hi Samuel,

Thanks for the link providing the policy, it's much appreciated.

Also I'm glad that the update has been committed, it sure is a nasty bug.

Comment 18 Chris Reffett (RETIRED) gentoo-dev Security 2014-01-27 04:10:32 UTC
GLSA vote: yes.
Comment 19 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-01-27 18:58:17 UTC
(In reply to Chris Reffett from comment #18)
> GLSA vote: yes.

We already have a GLSA request from prior bug. This was added to it
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2014-01-29 22:52:52 UTC
This issue was resolved and addressed in
 GLSA 201401-34 at
by GLSA coordinator Sean Amoss (ackle).
Comment 21 Sean Amoss (RETIRED) gentoo-dev Security 2014-01-29 22:53:16 UTC
Re-open for cleanup.
Comment 22 Yury German Gentoo Infrastructure gentoo-dev 2014-05-21 03:46:30 UTC
Still need to clean up 

Comment 23 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-05-21 08:59:59 UTC
Maintainer timeout.

+  21 May 2014; Mikle Kolyada <> -bind-9.9.3_p2.ebuild:
+  Drop insecure version