[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NetBSD Security Advisory 2011-001: BIND DoS due to improper handling of RRSIG records
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2011-001
Topic: BIND DoS due to improper handling of RRSIG records
Version: NetBSD-current: affected prior to 20101203
NetBSD 5.1: affected prior to 20110111
NetBSD 5.0: affected prior to 20110111
NetBSD 4.0.*: affected prior to 20110124
NetBSD 4.0: affected prior to 20110124
pkgsrc: net/bind97 package prior to 20101203
Severity: Denial of Service
Fixed: NetBSD-current: Dec 2nd, 2010
NetBSD-5-1 branch: Jan 10th, 2011
NetBSD-5-0 branch: Jan 10th, 2011
NetBSD-5 branch: Jan 6th, 2011
NetBSD-4-0 branch: Jan 23rd, 2011
NetBSD-4 branch: Jan 23rd, 2011
pkgsrc net/bind97: bind-9.7.2pl3 corrects this issue
pkgsrc net/bind96: bind-9.6.2pl3 corrects this issue
Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.
Failure to clear existing RRSIG records when a NO DATA is negatively
cached could cause subsequent lookups to crash named.
This vulnerability has been assigned CVE-2010-3613 and CERT
Vulnerability Note VU#706148.
Adding certain types of signed negative responses to the cache
doesn't clear any matching RRSIG records already in the cache. A
subsequent lookup of the cached data can cause named to crash
This vulnerability affects recursive nameservers irrespective of
whether DNSSEC validation is enabled or disabled. Exploitation
requires a DNS client authorized to use the nameserver for recursion
requesting information about a specially prepared zone not on the
Solutions and Workarounds
We suggest fixing this vulnerability by using the current net/bind97
pkgsrc package instead of the in-system bind until the entire system
can be updated (eg to the next security/critical release, or a binary
snapshot from http://nyftp.netbsd.org/pub/NetBSD-daily/ from past the
Thanks to the Internet Systems Consortium for reporting this
vulnerability. Thanks to Christos Zoulas for fixing this issue in
- -current. Thanks to Petra Zeidler for preparing the pullups to
fix this issue on the branches.
2011-02-01 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2011-001.txt,v 1.1 2011/02/01 22:03:34 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (NetBSD)
-----END PGP SIGNATURE-----
Main Index |
Thread Index |