Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 559462 (CVE-2015-5722) - <net-dns/bind-9.10.2_p4: Multiple DoS vulnerabilities (CVE-2015-{5722,5986})
Summary: <net-dns/bind-9.10.2_p4: Multiple DoS vulnerabilities (CVE-2015-{5722,5986})
Status: RESOLVED FIXED
Alias: CVE-2015-5722
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2015/q3/483
Whiteboard: A3 [glsa cleanup cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-03 01:06 UTC by Vlad K.
Modified: 2015-10-18 19:52 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vlad K. 2015-09-03 01:06:55 UTC
Quoting the URL:

Parsing a malformed DNSSEC key can cause a validating resolver to exit due to a failed assertion in buffer.c.  It is possible for a remote attacker to deliberately trigger this condition, for example by using a query which requires a response from a zone containing a deliberately malformed key.

Impact:

Recursive servers are at greatest risk but an authoritative server could be affected if an attacker controls a zone the server must query against to perform its zone service.

Servers which are affected may terminate with an assertion failure, causing denial of service to all clients.

Reproducible: Always
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2015-09-03 07:32:06 UTC
From oss-sec: 

Please be advised that ISC publicly announced two critical
vulnerabilities in BIND:

+ CVE-2015-5722 is a denial-of-service vector which can be
  exploited remotely against a BIND server that is performing
  validation on DNSSEC-signed records. All versions of BIND since
  9.0.0 are vulnerable.
  https://kb.isc.org/article/AA-01287

+ CVE-2015-5986 is a denial-of-service vector which can be used
  against a BIND server that is performing recursion and (under
  limited conditions) an authoritative-only nameserver.
  Versions of BIND since 9.9.7 and 9.10.2 are vulnerable.
  https://kb.isc.org/article/AA-01291


New releases of BIND, including security fixes for these
vulnerabilities, are available:

ftp://ftp.isc.org/isc/bind9/9.10.3rc1/RELEASE-NOTES.bind-9.10.3rc1.html
ftp://ftp.isc.org/isc/bind9/9.9.8rc1/RELEASE-NOTES.bind-9.9.8rc1.html
ftp://ftp.isc.org/isc/bind9/9.10.2-P4/RELEASE-NOTES.bind-9.10.2-P4.html
ftp://ftp.isc.org/isc/bind9/9.9.7-P3/RELEASE-NOTES.bind-9.9.7-P3.html

Marcin Siodelski
(as ISC Security Officer)
Comment 2 Hanno Böck gentoo-dev 2015-09-03 18:31:06 UTC
Additional info: One of the issues also affects key parsing in the command line tools. While the impact is likely low here this means bind-tools is also affected and should be bumped.
Comment 3 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2015-09-09 20:09:37 UTC
bind-9.10.2_p4 has just been added.
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2015-09-10 07:46:03 UTC
(In reply to Christian Ruppert (idl0r) from comment #3)
> bind-9.10.2_p4 has just been added.

Thank you for the version bump
Comment 5 Kristian Fiskerstrand gentoo-dev Security 2015-09-10 07:49:05 UTC
Arches, please stabilize
=net-dns/bind-9.10.2_p4
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 6 Hanno Böck gentoo-dev 2015-09-10 07:55:46 UTC
=net-dns/bind-tools-9.10.2_p4
should also be stabilized.
Comment 7 Jeroen Roovers gentoo-dev 2015-09-11 06:11:23 UTC
Stable for HPPA PPC64.
Comment 8 Tobias Klausmann gentoo-dev 2015-09-11 13:07:59 UTC
Both stable on alpha.
Comment 9 Richard Freeman gentoo-dev 2015-09-11 17:26:10 UTC
both stable on amd64
Comment 10 Agostino Sarubbo gentoo-dev 2015-09-22 09:01:00 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-09-24 08:03:34 UTC
ia64 stable
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-09-24 15:49:38 UTC
CVE-2015-5986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5986):
  openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3 and 9.10.x before
  9.10.2-P4 allows remote attackers to cause a denial of service (REQUIRE
  assertion failure and daemon exit) via a crafted DNS response.

CVE-2015-5722 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5722):
  buffer.c in named in ISC BIND 9.x before 9.9.7-P3 and 9.10.x before
  9.10.2-P4 allows remote attackers to cause a denial of service (assertion
  failure and daemon exit) by creating a zone containing a malformed DNSSEC
  key and issuing a query for a name in that zone.
Comment 13 Markus Meier gentoo-dev 2015-09-25 06:03:19 UTC
arm stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-09-25 14:30:02 UTC
x86 stable
Comment 15 Yury German Gentoo Infrastructure gentoo-dev Security 2015-09-26 04:21:32 UTC
Added to an existing GLSA Request.

Waiting on sparc stabilization, GLSA ready for release.
Comment 16 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-10-06 13:15:21 UTC
sparc stable
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2015-10-18 19:52:26 UTC
This issue was resolved and addressed in
 GLSA 201510-01 at https://security.gentoo.org/glsa/201510-01
by GLSA coordinator Mikle Kolyada (Zlogene).