Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 531998 (CVE-2014-8500) - <net-dns/bind-9.10.1_p1: DoS through recursive query loop, defect in GeoIP (CVE-2014-{3214,8500,8680})
Summary: <net-dns/bind-9.10.1_p1: DoS through recursive query loop, defect in GeoIP (C...
Status: RESOLVED FIXED
Alias: CVE-2014-8500
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
: 529474 (view as bug list)
Depends on: 524148
Blocks:
  Show dependency tree
 
Reported: 2014-12-08 17:49 UTC by Hanno Böck
Modified: 2016-07-02 03:34 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2014-12-08 17:49:52 UTC
bind upstream has released two security advisories:
https://kb.isc.org/article/AA-01216
https://kb.isc.org/article/AA-01217

The first is a DoS issue with recursive queries and also affects powerdns and unbound. The second only affects bind 9.10 and is related to GeoIP.

9.9.6-P1 and 9.10.1-P1 have been released.
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2014-12-09 20:23:20 UTC
9.10.1-P1 has been added but not fully tested yet, esp. GeoIP.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-12-09 20:36:00 UTC
(In reply to Christian Ruppert (idl0r) from comment #1)
> 9.10.1-P1 has been added but not fully tested yet, esp. GeoIP.

Thanks. Please initiate stabilization once you feel it is tested sufficiently.
Comment 3 Christian Ruppert (idl0r) gentoo-dev 2014-12-10 13:48:38 UTC
(In reply to Kristian Fiskerstrand from comment #2)
> (In reply to Christian Ruppert (idl0r) from comment #1)
> > 9.10.1-P1 has been added but not fully tested yet, esp. GeoIP.
> 
> Thanks. Please initiate stabilization once you feel it is tested
> sufficiently.

Basic functionality has been tested tough I am currently not able to test GeoIP features, esp. compatibility between 9.9.x and 9.10.x since GeoIP has been officially added/merged by upstream. I think we should go with 9.10.x anyway.
Comment 4 Agostino Sarubbo gentoo-dev 2014-12-11 11:07:37 UTC
Arches, please test and mark stable:
=net-dns/bind-9.10.1_p1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 5 Christian Ruppert (idl0r) gentoo-dev 2014-12-11 13:06:30 UTC
@titanofold:
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-dns/bind/bind-9.10.1.ebuild?r1=1.4&r2=1.5

Was that keyword dropping on purpose? It was added a rev. before, by Mike. Can you restore the keywords please?
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 06:53:41 UTC
CVE-2014-8680 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8680):
  The GeoIP functionality in ISC BIND 9.10.0 through 9.10.1 allows remote
  attackers to cause a denial of service (assertion failure and named exit)
  via vectors related to (1) the lack of GeoIP databases for both IPv4 and
  IPv6, or (2) IPv6 support with certain options.

CVE-2014-8500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8500):
  ISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.6, and 9.10.0 through 9.10.1
  does not limit delegation chaining, which allows remote attackers to cause a
  denial of service (memory consumption and named crash) via a large or
  infinite number of referrals.
Comment 7 Agostino Sarubbo gentoo-dev 2014-12-12 09:09:49 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-12-12 09:23:38 UTC
x86 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2014-12-12 10:34:17 UTC
Stable for HPPA.
Comment 10 Markus Meier gentoo-dev 2014-12-20 16:39:03 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-12-23 09:31:41 UTC
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-12-24 14:38:09 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-12-24 14:48:15 UTC
ppc64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-12-25 11:21:14 UTC
ia64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2014-12-26 09:20:17 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2014-12-29 00:38:02 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 23:47:51 UTC
CVE-2014-3214 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3214):
  The prefetch implementation in named in ISC BIND 9.10.0, when a recursive
  nameserver is enabled, allows remote attackers to cause a denial of service
  (REQUIRE assertion failure and daemon exit) via a DNS query that triggers a
  response with unspecified attributes.
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2015-02-01 02:23:00 UTC
Maintainer(s), it has been 30 days since request for cleanup. 
Please drop the vulnerable versions.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2015-02-07 16:50:52 UTC
This issue was resolved and addressed in
 GLSA 201502-03 at http://security.gentoo.org/glsa/glsa-201502-03.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 20 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-02-07 16:53:27 UTC
it seems that 9.9.5-r3 is not affected.
Comment 21 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-07 17:34:29 UTC
(In reply to Mikle Kolyada from comment #20)
> it seems that 9.9.5-r3 is not affected.

Not as far as I'm aware, so reopening for cleanup. 

@maintainers: if 9.9.5-r3 is unaffected, please close this bug and file a GLSA Errata bug for GLSA-201502-03 , if not, please cleanup.
Comment 22 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-08 14:17:42 UTC
*** Bug 529474 has been marked as a duplicate of this bug. ***
Comment 23 Aaron Bauman (RETIRED) gentoo-dev 2016-07-02 03:34:19 UTC
9.9.x is gone from the tree now.