[FreeBSD-Announce] FreeBSD Security Advisory
FreeBSD-SA-11:02.bind
jhell
jhell at DataIX.net
Tue Jun 14 20:53:29 UTC 2011
What are you talking about! "thats great!" this is an advisory not a
discussion of what you use.
On Tue, Jun 14, 2011 at 09:07:00AM -0800, Royce Williams wrote:
> Patched for modern BSD boxes.
>
> No customer impact, as this is patching the OS version of BIND, which is
> not currently directly facing any external querying.
>
>
> Royce
>
> FreeBSD Security Advisories wrote, on 5/28/2011 1:28 AM:
> > =============================================================================
> > FreeBSD-SA-11:02.bind Security Advisory
> > The FreeBSD Project
> >
> > Topic: BIND remote DoS with large RRSIG RRsets and negative caching
> >
> > Category: contrib
> > Module: bind
> > Announced: 2011-05-28
> > Credits: Frank Kloeker, Michael Sinatra.
> > Affects: All supported versions of FreeBSD.
> > Corrected: 2011-05-28 00:58:19 UTC (RELENG_7, 7.4-STABLE)
> > 2011-05-28 08:44:39 UTC (RELENG_7_3, 7.3-RELEASE-p6)
> > 2011-05-28 08:44:39 UTC (RELENG_7_4, 7.4-RELEASE-p2)
> > 2011-05-28 00:33:06 UTC (RELENG_8, 8.2-STABLE)
> > 2011-05-28 08:44:39 UTC (RELENG_8_1, 8.1-RELEASE-p4)
> > 2011-05-28 08:44:39 UTC (RELENG_8_2, 8.2-RELEASE-p2)
> > CVE Name: CVE-2011-1910
> >
> > For general information regarding FreeBSD Security Advisories,
> > including descriptions of the fields above, security branches, and the
> > following sections, please visit <URL:http://security.FreeBSD.org/>.
> >
> > I. Background
> >
> > BIND 9 is an implementation of the Domain Name System (DNS) protocols.
> > The named(8) daemon is an Internet Domain Name Server.
> >
> > DNS Security Extensions (DNSSEC) provides data integrity, origin
> > authentication and authenticated denial of existence to resolvers.
> >
> > II. Problem Description
> >
> > Very large RRSIG RRsets included in a negative response can trigger
> > an assertion failure that will crash named(8) due to an off-by-one error
> > in a buffer size check.
> >
> > III. Impact
> >
> > If named(8) is being used as a recursive resolver, an attacker who
> > controls a DNS zone being resolved can cause named(8) to crash,
> > resulting in a denial of (DNS resolving) service.
> >
> > DNSSEC does not need to be enabled on the resolver for it to be
> > vulnerable.
> >
> > IV. Workaround
> >
> > No workaround is available, but systems not running the BIND DNS server
> > or using it exclusively as an authoritative name server (i.e., not as a
> > caching resolver) are not vulnerable.
> >
> > V. Solution
> >
> > Perform one of the following:
> >
> > 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE,
> > or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3
> > security branch dated after the correction date.
> >
> > 2) To update your vulnerable system via a source code patch:
> >
> > The following patches have been verified to apply to FreeBSD
> > 7.3, 7.4, 8.1 and 8.2 systems.
> >
> > a) Download the relevant patch from the location below, and verify the
> > detached PGP signature using your PGP utility.
> >
> > # fetch http://security.FreeBSD.org/patches/SA-11:02/bind.patch
> > # fetch http://security.FreeBSD.org/patches/SA-11:02/bind.patch.asc
> >
> > b) Execute the following commands as root:
> >
> > # cd /usr/src
> > # patch < /path/to/patch
> > # cd /usr/src/lib/bind
> > # make obj && make depend && make && make install
> > # cd /usr/src/usr.sbin/named
> > # make obj && make depend && make && make install
> > # /etc/rc.d/named restart
> >
> > 3) To update your vulnerable system via a binary patch:
> >
> > Systems running 7.3-RELEASE, 7.4-RELEASE, 8.1-RELEASE, or 8.2-RELEASE
> > on the i386 or amd64 platforms can be updated via the freebsd-update(8)
> > utility:
> >
> > # freebsd-update fetch
> > # freebsd-update install
> >
> > VI. Correction details
> >
> > The following list contains the revision numbers of each file that was
> > corrected in FreeBSD.
> >
> > CVS:
> >
> > Branch Revision
> > Path
> > -------------------------------------------------------------------------
> > RELENG_7
> > src/contrib/bind9/lib/dns/ncache.c 1.1.1.2.2.3
> > RELENG_7_4
> > src/UPDATING 1.507.2.36.2.4
> > src/sys/conf/newvers.sh 1.72.2.18.2.7
> > src/contrib/bind9/lib/dns/ncache.c 1.1.1.2.2.2.2.1
> > RELENG_7_3
> > src/UPDATING 1.507.2.34.2.8
> > src/sys/conf/newvers.sh 1.72.2.16.2.10
> > src/contrib/bind9/lib/dns/ncache.c 1.1.1.2.10.1
> > RELENG_8
> > src/contrib/bind9/lib/dns/ncache.c 1.2.2.4
> > RELENG_8_2
> > src/UPDATING 1.632.2.19.2.4
> > src/sys/conf/newvers.sh 1.83.2.12.2.7
> > src/contrib/bind9/lib/dns/ncache.c 1.2.2.2.2.1
> > RELENG_8_1
> > src/UPDATING 1.632.2.14.2.7
> > src/sys/conf/newvers.sh 1.83.2.10.2.8
> > src/contrib/bind9/lib/dns/ncache.c 1.2.2.1.2.1
> > -------------------------------------------------------------------------
> >
> > Subversion:
> >
> > Branch/path Revision
> > -------------------------------------------------------------------------
> > stable/7/ r222399
> > releng/7.4/ r222416
> > releng/7.3/ r222416
> > stable/8/ r222396
> > releng/8.2/ r222416
> > releng/8.1/ r222416
> > head/ r222395
> > -------------------------------------------------------------------------
> >
> > VII. References
> >
> > http://www.isc.org/software/bind/advisories/cve-2011-1910
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910
> >
> > The latest revision of this advisory is available at
> > http://security.FreeBSD.org/advisories/FreeBSD-SA-11:02.bind.asc
> _______________________________________________
> freebsd-announce at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-announce
> To unsubscribe, send any mail to "freebsd-announce-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
More information about the freebsd-security
mailing list