Quoting the URL: Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c. It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key. Impact: Recursive servers are at greatest risk but an authoritative server could be affected if an attacker controls a zone the server must query against to perform its zone service. Servers which are affected may terminate with an assertion failure, causing denial of service to all clients. Reproducible: Always
From oss-sec: Please be advised that ISC publicly announced two critical vulnerabilities in BIND: + CVE-2015-5722 is a denial-of-service vector which can be exploited remotely against a BIND server that is performing validation on DNSSEC-signed records. All versions of BIND since 9.0.0 are vulnerable. https://kb.isc.org/article/AA-01287 + CVE-2015-5986 is a denial-of-service vector which can be used against a BIND server that is performing recursion and (under limited conditions) an authoritative-only nameserver. Versions of BIND since 9.9.7 and 9.10.2 are vulnerable. https://kb.isc.org/article/AA-01291 New releases of BIND, including security fixes for these vulnerabilities, are available: ftp://ftp.isc.org/isc/bind9/9.10.3rc1/RELEASE-NOTES.bind-9.10.3rc1.html ftp://ftp.isc.org/isc/bind9/9.9.8rc1/RELEASE-NOTES.bind-9.9.8rc1.html ftp://ftp.isc.org/isc/bind9/9.10.2-P4/RELEASE-NOTES.bind-9.10.2-P4.html ftp://ftp.isc.org/isc/bind9/9.9.7-P3/RELEASE-NOTES.bind-9.9.7-P3.html Marcin Siodelski (as ISC Security Officer)
Additional info: One of the issues also affects key parsing in the command line tools. While the impact is likely low here this means bind-tools is also affected and should be bumped.
bind-9.10.2_p4 has just been added.
(In reply to Christian Ruppert (idl0r) from comment #3) > bind-9.10.2_p4 has just been added. Thank you for the version bump
Arches, please stabilize =net-dns/bind-9.10.2_p4 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
=net-dns/bind-tools-9.10.2_p4 should also be stabilized.
Stable for HPPA PPC64.
Both stable on alpha.
both stable on amd64
ppc stable
ia64 stable
CVE-2015-5986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5986): openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3 and 9.10.x before 9.10.2-P4 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a crafted DNS response. CVE-2015-5722 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5722): buffer.c in named in ISC BIND 9.x before 9.9.7-P3 and 9.10.x before 9.10.2-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) by creating a zone containing a malformed DNSSEC key and issuing a query for a name in that zone.
arm stable
x86 stable
Added to an existing GLSA Request. Waiting on sparc stabilization, GLSA ready for release.
sparc stable
This issue was resolved and addressed in GLSA 201510-01 at https://security.gentoo.org/glsa/201510-01 by GLSA coordinator Mikle Kolyada (Zlogene).