[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2011-009: BIND resolver DoS
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2011-009
Topic: BIND resolver DoS
Version: NetBSD-current: affected prior to 20111116
NetBSD 5.1: affected prior to 20111118
NetBSD 5.0: affected prior to 20111118
NetBSD 4.0.*: affected prior to 20111120
NetBSD 4.0: affected prior to 20111120
pkgsrc: net/bind96, net/bind97 and net/bind98
packages prior to 20111116
Severity: Denial of Service
Fixed: NetBSD-current: Nov 16th, 2011
NetBSD-5-1 branch: Nov 18th, 2011
NetBSD-5-0 branch: Nov 18th, 2011
NetBSD-5 branch: Nov 18th, 2011
NetBSD-4-0 branch: Nov 20th, 2011
NetBSD-4 branch: Nov 20th, 2011
pkgsrc net/bind96: bind-220.127.116.11.ESV.5pl1 mitigates this
pkgsrc net/bind97: bind-9.7.4pl1 mitigates this issue
pkgsrc net/bind98: bind-9.8.1pl1 mitigates this issue
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Resolvers crash after logging:
This vulnerability has been assigned CVE-2011-4313.
An accidential operational error exposed a previously unknown bug in BIND
that could be exploited intentionally:
Unpatched BIND 9 resolvers may cache an invalid record, subsequent
queries for which could crash the resolvers with an assertion failure.
ISC provided a patch which makes named recover gracefully from the
inconsistency, preventing the abnormal exit.
The patch has two components. When a client query is handled, the code
which processes the response to the client has to ask the cache for
the records for the name that is being queried. The first component
of the patch prevents the cache from returning the inconsistent data.
The second component prevents named from crashing if it detects
that it has been given an inconsistent answer of this nature.
Solutions and Workarounds
We suggest fixing this vulnerability by using the current net/bind98 or
net/bind97 pkgsrc package instead of the in-system bind until the entire
system can be updated (eg to the next security/critical release, or a
binary snapshot from http://nyftp.netbsd.org/pub/NetBSD-daily/ from past
the fix date).
Thanks to the Internet Systems Consortium for reporting this
vulnerability and providing fixed versions.
2011-12-15 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2011-009.txt,v 1.1 2011/12/15 13:52:31 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (NetBSD)
-----END PGP SIGNATURE-----
Main Index |
Thread Index |