Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 678544 (CVE-2018-5744, CVE-2018-5745, CVE-2019-6465) - <net-dns/bind-9.12.3_p4: multiple vulnerabilities
Summary: <net-dns/bind-9.12.3_p4: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2018-5744, CVE-2018-5745, CVE-2019-6465
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-22 07:38 UTC by Agostino Sarubbo
Modified: 2019-04-09 12:55 UTC (History)
1 user (show)

See Also:
Package list:
=net-dns/bind-9.12.3_p4 =net-dns/bind-tools-9.12.3_p4
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2019-02-22 07:38:38 UTC
From ${URL} :

Today ISC disclosed three vulnerabilities affecting multiple versions of
BIND.  Full details on versions affected and more information about the
vulnerabilities are available via these articles in the ISC Knowledge Base:

CVE-2018-5744:
   A specially crafted packet can cause named to leak memory
   https://kb.isc.org/docs/cve-2018-5744

CVE-2018-5745:
   An assertion failure can occur if a trust anchor rolls over to
   an unsupported key algorithm when a server is using managed-keys
   https://kb.isc.org/docs/cve-2018-5745

CVE-2019-6465:
   Controls for zone transfers may not be properly applied to
   Dynamically Loadable Zones (DLZs) if the zones are writable.
   https://kb.isc.org/docs/cve-2019-6465

New software versions are available from the ISC downloads page:
https://www.isc.org/downloads

With the public disclosure of these vulnerabilities, parties which
had been given advance notice concerning them are released from
non-disclosure and packagers and redistributors are encouraged to
publish updated packages containing fixes.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Christian Ruppert (idl0r) gentoo-dev 2019-02-25 14:33:17 UTC
bind-9.12.3_p4 and bind-tools-9.12.3_p4 have just been added but not yet tested
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2019-04-02 05:22:57 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 3 Christian Ruppert (idl0r) gentoo-dev 2019-04-04 15:22:40 UTC
Feel free to stabilize bind-9.12.3_p4 and bind-tools-9.12.3_p4
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-04-04 18:30:25 UTC
@arches, please stabilize.
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-04 20:52:43 UTC
amd64 stable
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-07 08:41:14 UTC
alpha stable
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-07 08:43:06 UTC
alpha stable
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-07 08:53:52 UTC
alpha stable
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-07 08:58:56 UTC
alpha stable
Comment 10 Sergei Trofimovich gentoo-dev 2019-04-07 21:49:41 UTC
ppc64 stable
Comment 11 Thomas Deutschmann gentoo-dev Security 2019-04-08 02:19:16 UTC
x86 stable
Comment 12 Sergei Trofimovich gentoo-dev 2019-04-08 06:11:16 UTC
ppc stable
Comment 13 Markus Meier gentoo-dev 2019-04-08 18:27:21 UTC
arm stable
Comment 14 Rolf Eike Beer 2019-04-08 21:58:51 UTC
sparc stable
Comment 15 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-09 12:49:24 UTC
ia64 stable
Comment 16 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-09 12:49:54 UTC
hppa stable
Comment 17 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-04-09 12:55:52 UTC
Also cleaned old.

GLSA vote: no.