Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 576902 (CVE-2016-1285, CVE-2016-1286, CVE-2016-2088) - <net-dns/bind{,-tools}-9.10.3_p4: Multiple vulnerabilities (CVE-2016-{1285,1286,2088})
Summary: <net-dns/bind{,-tools}-9.10.3_p4: Multiple vulnerabilities (CVE-2016-{1285,12...
Status: RESOLVED FIXED
Alias: CVE-2016-1285, CVE-2016-1286, CVE-2016-2088
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-09 20:10 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-10-11 18:55 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-03-09 20:10:03 UTC
Please be advised that ISC announced security advisories for
vulnerabilities in ISC BIND.

CVE-2016-1285: An error parsing input received by the rndc control
channel can cause an assertion failure in sexpr.c or alist.c. All
versions since 9.2.0 are affected.
https://kb.isc.org/article/AA-01352

CVE-2016-1286: A problem parsing resource record signatures for
DNAME resource records can lead to an assertion failure in resolver.c
or db.c. All versions since 9.0.0 are affected.
https://kb.isc.org/article/AA-01353

CVE-2016-2088: A response containing multiple DNS cookies causes
servers with cookie support enabled to exit with an assertion
failure in resolver.c. This affects the 9.10.x versions.
https://kb.isc.org/article/AA-01351



Jeremy C. Reed
ISC Security Officer
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2016-03-22 06:29:45 UTC
CVE-2016-2088 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2088):
  resolver.c in named in ISC BIND 9.10.x before 9.10.3-P4, when DNS cookies
  are enabled, allows remote attackers to cause a denial of service (INSIST
  assertion failure and daemon exit) via a malformed packet with more than one
  cookie option.

CVE-2016-1286 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1286):
  named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows
  remote attackers to cause a denial of service (assertion failure and daemon
  exit) via a crafted signature record for a DNAME record, related to db.c and
  resolver.c.

CVE-2016-1285 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1285):
  named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows
  remote attackers to cause a denial of service (assertion failure and daemon
  exit) via a malformed packet to the rndc (aka control channel) interface,
  related to alist.c and sexpr.c.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-03-22 06:37:50 UTC
@maintainer, please let us know if you would like to call for stabilization on 9.10.3_p4.  Thanks.
Comment 3 Vlad K. 2016-03-30 15:28:55 UTC
Any reason this has not even begun stabilization yet? There are remote vulns in here...
Comment 4 Christian Ruppert (idl0r) gentoo-dev 2016-04-10 20:08:19 UTC
Feel free to stabilize. Please stabilize both, =net-dns/bind-9.10.3_p4 and =net-dns/bind-tools-9.10.3_p4.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-04-10 22:02:31 UTC
Arches, please stabilize:
=net-dns/bind-9.10.3_p4
=net-dns/bind-tools-9.10.3_p4.
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 6 Agostino Sarubbo gentoo-dev 2016-04-11 10:21:54 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-04-11 10:41:56 UTC
x86 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2016-04-11 15:22:57 UTC
Stable for HPPA PPC64.
Comment 9 Markus Meier gentoo-dev 2016-04-19 15:35:44 UTC
arm stable
Comment 10 Matt Turner gentoo-dev 2016-05-02 03:33:50 UTC
alpha stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-07-08 07:55:52 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-07-08 10:04:23 UTC
sparc stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-07-08 12:03:55 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2016-07-11 10:43:46 UTC
@arches, it looks like we missed net-dns/bind-tools on this.  Please stabilize:

=net-dns/bind-tools-9.10.3_p4
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2016-07-11 10:59:26 UTC
New GLSA request filed.
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-13 13:51:22 UTC
Stable for HPPA PPC64.
Comment 17 Agostino Sarubbo gentoo-dev 2016-07-22 19:20:17 UTC
ia64/ppc/sparc done.
Comment 18 Agostino Sarubbo gentoo-dev 2016-09-29 09:48:59 UTC
sparc stable
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2016-10-11 18:55:32 UTC
This issue was resolved and addressed in
 GLSA 201610-07 at https://security.gentoo.org/glsa/201610-07
by GLSA coordinator Kristian Fiskerstrand (K_F).