[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bind -> unbound/nsd
On Thu, Aug 18, 2016 at 11:10:18AM -0400, Christos Zoulas wrote:
> The recent change of ISC/bind licensing from BSD to MPL for the
> next release has provided us with an opportunity to re-evaluate
> the preferred daemon status for NetBSD and DNS resolution. Board/Core
> have decided not to import the next version of bind, and instead
> import the current version of unbound/nsd.
> If you feel that this creates problems for you, let us know.
> Also you should be able to use newer versions of bind from pkgsrc.
> We are not planning to de-support or remove bind for NetBSD-8.
This may not be 100% factually correct (I'm trying my best, but not too
familiar with BIND):
NetBSD 6.0 was released in Oct 2012. If we had done such a decision
several months before the release, the version of BIND we would have in
base for 6.x is ~9.9.0.
This is a list of the vulnerabilities that our 6.x base BIND would
contain in this scenario, which would resemble what we will see towards
the end of the 8.x supported life.
# CVE Number Short Description
75 2016-2775 A query name which is too long can cause a segmentation fault in lwresd
73 2016-1286 A problem parsing resource record signatures for DNAME resource records can lead to an assertion failure in resolver.c or db.c
72 2016-1285 An error parsing input received by the rndc control channel can cause an assertion failure in sexpr.c or alist.c
69 2015-8704 Specific APL data could trigger an INSIST in apl_42.c
67 2015-8000 Responses with a malformed class attribute can trigger an assertion failure in db.c
65 2015-5722 Parsing malformed keys may cause BIND to exit due to a failed assertion in buffer.c
64 2015-5477 An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure
63 2015-4620 Specially Constructed Zone Data Can Cause a Resolver to Crash when Validating
62 2015-1349 A Problem with Trust Anchor Management Can Cause named to Crash
60 2014-8500 A Defect in Delegation Handling Can Be Exploited to Crash BIND
57 2014-0591 A Crafted Query Against an NSEC3-signed Zone Can Crash BIND
56 2013-6230 A Winsock API Bug can cause a side-effect affecting BIND ACLs
55 2013-4854 A specially crafted query can cause BIND to terminate abnormally
53 2013-2266 A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named
52 2012-5689 BIND 9 with DNS64 enabled can unexpectedly terminate when resolving domains in RPZ
51 2012-5688 BIND 9 servers using DNS64 can be crashed by a crafted query
50 2012-5166 Specially crafted DNS data can cause a lockup in named
49 2012-4244 A specially crafted Resource Record could cause named to terminate
48 2012-3868 High TCP query load can trigger a memory leak
47 2012-3817 Heavy DNSSEC validation load can cause a "bad cache" assertion failure
46 2012-1667 Handling of zero length rdata can cause named to terminate unexpectedly
Obtained from https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html
Main Index |
Thread Index |