Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835439 (CVE-2021-25220, CVE-2022-0396) - <net-dns/bind-9.16.27: Multiple vulnerabilities
Summary: <net-dns/bind-9.16.27: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-25220, CVE-2022-0396
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 835440
Blocks:
  Show dependency tree
 
Reported: 2022-03-16 18:10 UTC by Sam James
Modified: 2022-10-31 02:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-16 18:10:36 UTC
From release notes (https://downloads.isc.org/isc/bind9/9.16.27/doc/arm/html/notes.html#notes-for-bind-9-16-27):
"""
Notes for BIND 9.16.27
Security Fixes

    The rules for acceptance of records into the cache have been tightened to prevent the possibility of poisoning if forwarders send records outside the configured bailiwick. (CVE-2021-25220)

    ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from Network and Information Security Lab, Tsinghua University, and Changgen Zou from Qi An Xin Group Corp. for bringing this vulnerability to our attention. [GL #2950]

    TCP connections with keep-response-order enabled could leave the TCP sockets in the CLOSE_WAIT state when the client did not properly shut down the connection. (CVE-2022-0396) [GL #3112]
"""
Comment 1 Larry the Git Cow gentoo-dev 2022-03-16 18:14:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b918ba18b54e673b3b58f6dab03cb3c81f8148b

commit 7b918ba18b54e673b3b58f6dab03cb3c81f8148b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-03-16 18:14:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-16 18:14:24 +0000

    net-dns/bind-tools: add 9.16.27
    
    Bug: https://bugs.gentoo.org/835439
    Signed-off-by: Sam James <sam@gentoo.org>

 net-dns/bind-tools/Manifest                  |   1 +
 net-dns/bind-tools/bind-tools-9.16.27.ebuild | 148 +++++++++++++++++++++++++++
 2 files changed, 149 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0eedb1c3f97c98966757a0e4909a15afb24e907

commit b0eedb1c3f97c98966757a0e4909a15afb24e907
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-03-16 18:10:41 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-16 18:14:22 +0000

    net-dns/bind: add 9.16.27
    
    Bug: https://bugs.gentoo.org/835439
    Signed-off-by: Sam James <sam@gentoo.org>

 net-dns/bind/Manifest            |   1 +
 net-dns/bind/bind-9.16.27.ebuild | 375 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 376 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-20 20:34:01 UTC
Please cleanup
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-22 01:33:39 UTC
GLSA request filed.
Comment 4 Larry the Git Cow gentoo-dev 2022-10-31 01:21:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bdc575dae63f16d44b926f18271d15d3173fc5f

commit 8bdc575dae63f16d44b926f18271d15d3173fc5f
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-10-31 01:19:33 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:20:11 +0000

    net-dns/bind: security cleanup
    
    Bug: https://bugs.gentoo.org/820563
    Bug: https://bugs.gentoo.org/835439
    Bug: https://bugs.gentoo.org/872206
    Acked-by: Patrick McLean <chutzpah@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-dns/bind/Manifest                              |   5 -
 net-dns/bind/bind-9.16.27-r1.ebuild                | 375 --------------------
 net-dns/bind/bind-9.16.29-r1.ebuild                | 376 --------------------
 net-dns/bind/bind-9.16.29.ebuild                   | 375 --------------------
 net-dns/bind/bind-9.16.30.ebuild                   | 381 --------------------
 net-dns/bind/bind-9.16.31.ebuild                   | 382 ---------------------
 net-dns/bind/bind-9.16.32.ebuild                   | 382 ---------------------
 .../bind/files/bind-9.16.29-fortify-source-3.patch |  35 --
 8 files changed, 2311 deletions(-)
Comment 5 Larry the Git Cow gentoo-dev 2022-10-31 01:42:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3ff54f9ebabdb1f657769518402d72abd34fbdcb

commit 3ff54f9ebabdb1f657769518402d72abd34fbdcb
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 01:18:02 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 01:40:16 +0000

    [ GLSA 202210-25 ] ISC BIND: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/820563
    Bug: https://bugs.gentoo.org/835439
    Bug: https://bugs.gentoo.org/872206
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-25.xml | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 02:23:37 UTC
GLSA released, all done!