Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 576902 (CVE-2016-1285, CVE-2016-1286, CVE-2016-2088) - <net-dns/bind{,-tools}-9.10.3_p4: Multiple vulnerabilities (CVE-2016-{1285,1286,2088})
Summary: <net-dns/bind{,-tools}-9.10.3_p4: Multiple vulnerabilities (CVE-2016-{1285,12...
Alias: CVE-2016-1285, CVE-2016-1286, CVE-2016-2088
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa cve]
Depends on:
Reported: 2016-03-09 20:10 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-10-11 18:55 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-03-09 20:10:03 UTC
Please be advised that ISC announced security advisories for
vulnerabilities in ISC BIND.

CVE-2016-1285: An error parsing input received by the rndc control
channel can cause an assertion failure in sexpr.c or alist.c. All
versions since 9.2.0 are affected.

CVE-2016-1286: A problem parsing resource record signatures for
DNAME resource records can lead to an assertion failure in resolver.c
or db.c. All versions since 9.0.0 are affected.

CVE-2016-2088: A response containing multiple DNS cookies causes
servers with cookie support enabled to exit with an assertion
failure in resolver.c. This affects the 9.10.x versions.

Jeremy C. Reed
ISC Security Officer
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-03-22 06:29:45 UTC
CVE-2016-2088 (
  resolver.c in named in ISC BIND 9.10.x before 9.10.3-P4, when DNS cookies
  are enabled, allows remote attackers to cause a denial of service (INSIST
  assertion failure and daemon exit) via a malformed packet with more than one
  cookie option.

CVE-2016-1286 (
  named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows
  remote attackers to cause a denial of service (assertion failure and daemon
  exit) via a crafted signature record for a DNAME record, related to db.c and

CVE-2016-1285 (
  named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows
  remote attackers to cause a denial of service (assertion failure and daemon
  exit) via a malformed packet to the rndc (aka control channel) interface,
  related to alist.c and sexpr.c.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-03-22 06:37:50 UTC
@maintainer, please let us know if you would like to call for stabilization on 9.10.3_p4.  Thanks.
Comment 3 Vlad K. 2016-03-30 15:28:55 UTC
Any reason this has not even begun stabilization yet? There are remote vulns in here...
Comment 4 Christian Ruppert (idl0r) gentoo-dev 2016-04-10 20:08:19 UTC
Feel free to stabilize. Please stabilize both, =net-dns/bind-9.10.3_p4 and =net-dns/bind-tools-9.10.3_p4.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-04-10 22:02:31 UTC
Arches, please stabilize:
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 6 Agostino Sarubbo gentoo-dev 2016-04-11 10:21:54 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-04-11 10:41:56 UTC
x86 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2016-04-11 15:22:57 UTC
Stable for HPPA PPC64.
Comment 9 Markus Meier gentoo-dev 2016-04-19 15:35:44 UTC
arm stable
Comment 10 Matt Turner gentoo-dev 2016-05-02 03:33:50 UTC
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-07-08 07:55:52 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-07-08 10:04:23 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-07-08 12:03:55 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2016-07-11 10:43:46 UTC
@arches, it looks like we missed net-dns/bind-tools on this.  Please stabilize:

Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2016-07-11 10:59:26 UTC
New GLSA request filed.
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-13 13:51:22 UTC
Stable for HPPA PPC64.
Comment 17 Agostino Sarubbo gentoo-dev 2016-07-22 19:20:17 UTC
ia64/ppc/sparc done.
Comment 18 Agostino Sarubbo gentoo-dev 2016-09-29 09:48:59 UTC
sparc stable
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2016-10-11 18:55:32 UTC
This issue was resolved and addressed in
 GLSA 201610-07 at
by GLSA coordinator Kristian Fiskerstrand (K_F).