Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728590 (CVE-2020-8618, CVE-2020-8619) - <net-dns/bind-9.16.4: Multiple vulnerabilities (CVE-2020-{8618,8619})
Summary: <net-dns/bind-9.16.4: Multiple vulnerabilities (CVE-2020-{8618,8619})
Status: RESOLVED FIXED
Alias: CVE-2020-8618, CVE-2020-8619
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lists.isc.org/pipermail/bind-...
Whiteboard: B3 [noglsa cve]
Keywords:
: 728972 (view as bug list)
Depends on: 730198
Blocks:
  Show dependency tree
 
Reported: 2020-06-17 19:15 UTC by Sam James
Modified: 2020-07-31 16:12 UTC (History)
5 users (show)

See Also:
Package list:
net-dns/bind-9.16.4 amd64 arm arm64 ppc ppc64 sparc x86 net-dns/bind-tools-9.16.4 amd64 arm arm64 hppa ppc ppc64 sparc x86
Runtime testing required: ---
nattka: sanity-check+


Attachments
bind-9.16.4.ebuild (bind-9.16.4.ebuild,11.12 KB, text/plain)
2020-06-27 06:52 UTC, Krzysztof Olędzki
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-06-17 19:15:34 UTC
* CVE-2020-8618

Description:
"An assertion check in BIND (that is meant to prevent going beyond the end of a buffer when processing incoming data) can be incorrectly triggered by a large response during zone transfer."

Advisory: https://lists.isc.org/pipermail/bind-announce/2020-June/001157.html

* CVE-2020-8619

Description:
"The asterisk character ("*") is allowed in DNS zone files, where it is most commonly present as a wildcard at a terminal node of the Domain Name System graph. However, the RFCs do not require and BIND does not enforce that an asterisk character be present only at a terminal node."

Advisory: https://lists.isc.org/pipermail/bind-announce/2020-June/001158.html
Comment 1 Sam James archtester gentoo-dev Security 2020-06-17 19:16:46 UTC
@maintainer(s), please bump to 9.16.4, 9.11.20.
Comment 2 Sam James archtester gentoo-dev Security 2020-06-21 10:47:43 UTC
*** Bug 728972 has been marked as a duplicate of this bug. ***
Comment 3 Sam James archtester gentoo-dev Security 2020-06-21 10:48:21 UTC
ping
Comment 4 Krzysztof Olędzki 2020-06-27 06:52:22 UTC
Created attachment 646646 [details]
bind-9.16.4.ebuild
Comment 5 Krzysztof Olędzki 2020-06-27 06:56:01 UTC
If it helps, I just uploaded an updated ebuild file.

Bind 9.16.4 moved the man files into doc/man and removed Bv9ARM.pdf. While it can be still built, this requires latex with xelatex which would pull a lot of dependencies.


--- bind-9.16.3.ebuild  2020-05-20 05:39:01.000000000 -0700
+++ bind-9.16.4.ebuild  2020-06-26 23:41:43.738828916 -0700
@@ -98,7 +98,7 @@
        export LDFLAGS="${LDFLAGS} -L${EPREFIX}/usr/$(get_libdir) -ldl"

        # Adjusting PATHs in manpages
-       for i in bin/{named/named.8,check/named-checkconf.8,rndc/rndc.8} ; do
+       for i in doc/man/{named.8in,named-checkconf.8in,rndc.8in} ; do
                sed -i \
                        -e 's:/etc/named.conf:/etc/bind/named.conf:g' \
                        -e 's:/etc/rndc.conf:/etc/bind/rndc.conf:g' \
@@ -183,7 +183,7 @@
        dodoc CHANGES README

        if use doc; then
-               dodoc doc/arm/Bv9ARM.pdf
+               test -f doc/arm/Bv9ARM.pdf && dodoc doc/arm/Bv9ARM.pdf

                docinto misc
                dodoc -r doc/misc/
@@ -217,7 +217,7 @@
        newenvd "${FILESDIR}"/10bind.env 10bind

        # Let's get rid of those tools and their manpages since they're provided by bind-tools
-       rm -f "${ED}"/usr/share/man/man1/{dig,host,nslookup}.1* || die
+       rm -f "${ED}"/usr/share/man/man1/{dig,host,nslookup,nsupdate,delv}.1* || die
        rm -f "${ED}"/usr/share/man/man8/nsupdate.8* || die
        rm -f "${ED}"/usr/bin/{dig,host,nslookup,nsupdate} || die
        rm -f "${ED}"/usr/sbin/{dig,host,nslookup,nsupdate} || die
Comment 6 Sam James archtester gentoo-dev Security 2020-07-17 10:43:12 UTC
arm stable
Comment 7 Sam James archtester gentoo-dev Security 2020-07-17 10:43:28 UTC
arm64 stable
Comment 8 Sam James archtester gentoo-dev Security 2020-07-17 12:45:19 UTC
ppc stable
Comment 9 Sam James archtester gentoo-dev Security 2020-07-17 20:01:10 UTC
ppc64 stable
Comment 10 Sam James archtester gentoo-dev Security 2020-07-18 01:15:17 UTC
x86 stable
Comment 11 Sam James archtester gentoo-dev Security 2020-07-18 13:32:07 UTC
amd64 stable
Comment 12 Sam James archtester gentoo-dev Security 2020-07-18 22:28:46 UTC
sparc stable
Comment 13 Sam James archtester gentoo-dev Security 2020-07-27 18:44:29 UTC
hppa: ping
Comment 14 Sam James archtester gentoo-dev Security 2020-07-27 18:45:05 UTC
GLSA vote: no.
Comment 15 Rolf Eike Beer archtester 2020-07-29 17:35:30 UTC
hppa stable
Comment 16 Sam James archtester gentoo-dev Security 2020-07-29 19:16:37 UTC
Please cleanup.