Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2011-009: BIND resolver DoS

Hash: SHA1

                NetBSD Security Advisory 2011-009

Topic:          BIND resolver DoS

Version:        NetBSD-current:         affected prior to 20111116
                NetBSD 5.1:             affected prior to 20111118
                NetBSD 5.0:             affected prior to 20111118
                NetBSD 4.0.*:           affected prior to 20111120
                NetBSD 4.0:             affected prior to 20111120
                pkgsrc:                 net/bind96, net/bind97 and net/bind98
                                        packages prior to 20111116

Severity:       Denial of Service

Fixed:          NetBSD-current:         Nov 16th, 2011
                NetBSD-5-1 branch:      Nov 18th, 2011
                NetBSD-5-0 branch:      Nov 18th, 2011
                NetBSD-5 branch:        Nov 18th, 2011
                NetBSD-4-0 branch:      Nov 20th, 2011
                NetBSD-4 branch:        Nov 20th, 2011
                pkgsrc net/bind96:      bind- mitigates this 
                pkgsrc net/bind97:      bind-9.7.4pl1 mitigates this issue
                pkgsrc net/bind98:      bind-9.8.1pl1 mitigates this issue

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


Resolvers crash after logging:
        "INSIST(! dns_rdataset_isassociated(sigrdataset))"

This vulnerability has been assigned CVE-2011-4313.

Technical Details

An accidential operational error exposed a previously unknown bug in BIND
that could be exploited intentionally:

Unpatched BIND 9 resolvers may cache an invalid record, subsequent
queries for which could crash the resolvers with an assertion failure.
ISC provided a patch which makes named recover gracefully from the
inconsistency, preventing the abnormal exit.

The patch has two components. When a client query is handled, the code
which processes the response to the client has to ask the cache for
the records for the name that is being queried. The first component
of the patch prevents the cache from returning the inconsistent data.
The second component prevents named from crashing if it detects
that it has been given an inconsistent answer of this nature.

Solutions and Workarounds

We suggest fixing this vulnerability by using the current net/bind98 or
net/bind97 pkgsrc package instead of the in-system bind until the entire
system can be updated (eg to the next security/critical release, or a
binary snapshot from from past
the fix date).

Thanks To

Thanks to the Internet Systems Consortium for reporting this
vulnerability and providing fixed versions.

Revision History

        2011-12-15      Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and .

Copyright 2011, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2011-009.txt,v 1.1 2011/12/15 13:52:31 tonnerre Exp $

Version: GnuPG v1.4.11 (NetBSD)


Home | Main Index | Thread Index | Old Index