Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621730 (CVE-2017-3140, CVE-2017-3141) - <net-dns/bind-9.11.1_p1: Multiple vulnerabilities
Summary: <net-dns/bind-9.11.1_p1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-3140, CVE-2017-3141
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa cve]
Keywords:
: 622310 (view as bug list)
Depends on:
Blocks: CVE-2017-3136, CVE-2017-3137, CVE-2017-3138
  Show dependency tree
 
Reported: 2017-06-14 10:37 UTC by Kristian Fiskerstrand
Modified: 2017-09-21 15:34 UTC (History)
3 users (show)

See Also:
Package list:
net-dns/bind-9.11.1_p1 net-dns/bind-tools-9.11.1_p1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2017-06-14 10:37:35 UTC
** CONFIDENTIAL **

Hello:

ISC would like to make you aware of an upcoming security disclosure
covering two exploitable BIND vulnerabilities (CVE-2017-3140,
CVE-2017-3141) and an operational notification concerning a potentially
impacting defect.

On Wednesday, 14 June 2017, we plan to publicly disclose these and issue
new security releases.

For the benefit of those selectively porting fixes, specific patch diffs
for each CVE can be found in the "patches" subdirectory of the
9.9.10-P1, 9.10.5-P1, and 9.11.1-P1 release directories.

Please do not divulge details about the vulnerabilities or the
location or contents of the replacement releases until after
ISC has gone public with our announcement.  However, to give you
a chance to get started on updated packages the links below
will provide early access to the new software.

[Redacted]

We appreciate the work you do to make BIND available.

**

An email with full content has been sent to the maintainer using OpenPGP encrypted email
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2017-06-15 09:09:45 UTC
Public via http://www.openwall.com/lists/oss-security/2017/06/14/4

Date: Wed, 14 Jun 2017 18:31:00 -0500
From: ISC Security Officer <security-officer@....org>
To: oss-security@...ts.openwall.com
Cc: ISC Security Officer <security-officer@....org>
Subject: BIND9 CVE-2017-3140 & CVE-2017-3141

Today ISC announced CVE-2017-3140, CVE-2017-3141, and an operational
notification regarding LMDB in BIND 9.11


CVE-2017-3140 is a denial-of-service vulnerability affecting 9.9.10,
9.10.5, 9.11.0->9.11.1, 9.9.10-S1, and 9.10.5-S1 when configured with
Response Policy Zones (RPZ) utilizing NSIP or NSDNAME rules.

We are aware that some subscribers to this list maintain BIND packages
which have diverged from the official ISC code branches.  While we
cannot always offer specific guidance, in the case of CVE-2017-3140
maintainers who have selectively backported BIND changes are advised to
check whether they have included change #4377, as that change has been
determined to be a cause of CVE-2017-3140.


CVE-2017-3141 is a Windows privilege escalation vector affecting
9.2.6-P2+, 9.3.2-P1+, 9.4.x, 9.5.x, 9.6.x, 9.7.x, 9.8.x, 9.9.0->9.9.10,
9.10.0->9.10.5, 9.11.0->9.11.1, 9.9.3-S1->9.9.10-S1, and 9.10.5-S1.  The
BIND Windows installer failed to properly quote the service paths,
possibly allowing a local user to achieve privilege escalation, if
allowed by file system permissions.


BIND 9.11.0 and 9.11.1 carries a number of integration problems with
LMDB (liblmdb) that will be addressed in BIND 9.11.2, planned for
release in July/August 2017.


Our full CVE text can be found at:

  https://kb.isc.org/article/AA-01495/74/CVE-2017-3140
  https://kb.isc.org/article/AA-01496/74/CVE-2017-3141

The full operational notification can be found at:

  https://kb.isc.org/article/AA-01497/169/LMDB-integration-problems.html

New releases of BIND, including security fixes for these
vulnerabilities, are available at: http://www.isc.org/downloads/

Release notes can be obtained using the following links:

  ftp://ftp.isc.org/isc/bind9/9.9.10-P1/
  ftp://ftp.isc.org/isc/bind9/9.10.5-P1/
  ftp://ftp.isc.org/isc/bind9/9.11.1-P1/

Brian Conry
Security Officer
Comment 2 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2017-06-19 12:06:23 UTC
bind and bind-tools 9.11.1_p1 have just been added.
Comment 3 Kristian Fiskerstrand gentoo-dev Security 2017-06-19 17:05:10 UTC
(In reply to Christian Ruppert (idl0r) from comment #2)
> bind and bind-tools 9.11.1_p1 have just been added.

Thank you for the bump, please call for stabilization when you feel it is ready
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2017-06-20 14:34:34 UTC
*** Bug 622310 has been marked as a duplicate of this bug. ***
Comment 5 Kristian Fiskerstrand gentoo-dev Security 2017-06-23 16:57:30 UTC
(In reply to Kristian Fiskerstrand from comment #3)
> (In reply to Christian Ruppert (idl0r) from comment #2)
> > bind and bind-tools 9.11.1_p1 have just been added.
> 
> Thank you for the bump, please call for stabilization when you feel it is
> ready

Is this ready for stabilization yet?
Comment 6 Christian Ruppert (idl0r) archtester Gentoo Infrastructure gentoo-dev Security 2017-06-23 17:10:23 UTC
(In reply to Kristian Fiskerstrand from comment #5)
> (In reply to Kristian Fiskerstrand from comment #3)
> > (In reply to Christian Ruppert (idl0r) from comment #2)
> > > bind and bind-tools 9.11.1_p1 have just been added.
> > 
> > Thank you for the bump, please call for stabilization when you feel it is
> > ready
> 
> Is this ready for stabilization yet?

Yeah, looks ok to me.
If you want to stabilize it, please stabilize bind-tools-9.11.1_p1 as well.
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-25 16:33:20 UTC
amd64 stable
Comment 8 Kerin Millar 2017-06-25 18:48:08 UTC
The stabilisation of bind-9.11.1_p1 effectively re-opens bug 600212.
Comment 9 Tobias Klausmann gentoo-dev 2017-06-26 20:21:32 UTC
Stable on alpha.
Comment 10 Thomas Deutschmann gentoo-dev Security 2017-06-28 11:20:37 UTC
Added to an existing GLSA.
Comment 11 Sergei Trofimovich gentoo-dev 2017-06-30 07:39:01 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-06-30 11:11:32 UTC
x86 stable
Comment 13 Markus Meier gentoo-dev 2017-07-06 05:02:59 UTC
arm stable
Comment 14 Agostino Sarubbo gentoo-dev 2017-07-07 09:09:28 UTC
sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2017-07-07 13:25:28 UTC
ppc stable
Comment 16 Agostino Sarubbo gentoo-dev 2017-07-07 14:50:58 UTC
ppc64 stable
Comment 17 Yury German Gentoo Infrastructure gentoo-dev Security 2017-08-02 03:12:58 UTC
Arches or maintainers please stabilize for Hippo ASAP. Security will release GLSA for this in 7 days with or without hppa arch being stable.
Comment 18 Yury German Gentoo Infrastructure gentoo-dev Security 2017-08-02 03:13:45 UTC
(In reply to Yury German from comment #17)
> Arches or maintainers please stabilize for Hippo <-- hppa
Script went crazy.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2017-08-17 03:03:34 UTC
This issue was resolved and addressed in
 GLSA 201708-01 at https://security.gentoo.org/glsa/201708-01
by GLSA coordinator Yury German (BlueKnight).
Comment 20 Yury German Gentoo Infrastructure gentoo-dev Security 2017-09-03 22:02:46 UTC
re-opening for cleanup.
Maintainer(s), please drop the vulnerable version(s).
Comment 21 Sergei Trofimovich gentoo-dev 2017-09-21 08:51:04 UTC
hppa stable

Last arch is done here.
Comment 22 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-21 15:34:59 UTC
Tree is clean from vulnerable versions.

Gentoo Security Padawan
ChrisADR