From owner-freebsd-announce@FreeBSD.ORG Mon Aug 6 22:12:05 2012 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B531E106564A; Mon, 6 Aug 2012 22:12:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9DBD38FC12; Mon, 6 Aug 2012 22:12:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q76MC5AU015841; Mon, 6 Aug 2012 22:12:05 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q76MC5fT015839; Mon, 6 Aug 2012 22:12:05 GMT (envelope-from security-advisories@freebsd.org) Date: Mon, 6 Aug 2012 22:12:05 GMT Message-Id: <201208062212.q76MC5fT015839@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-12:05.bind X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2012 22:12:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-12:05.bind Security Advisory The FreeBSD Project Topic: named(8) DNSSEC validation Denial of Service Category: contrib Module: bind Announced: 2012-08-06 Credits: Einar Lonn of IIS.se Affects: All supported versions of FreeBSD Corrected: 2012-08-06 21:33:11 UTC (RELENG_7, 7.4-STABLE) 2012-08-06 21:33:11 UTC (RELENG_7_4, 7.4-RELEASE-p10) 2012-07-24 19:04:35 UTC (RELENG_8, 8.3-STABLE) 2012-08-06 21:33:11 UTC (RELENG_8_3, 8.3-RELEASE-p4) 2012-08-06 21:33:11 UTC (RELENG_8_2, 8.2-RELEASE-p10) 2012-08-06 21:33:11 UTC (RELENG_8_1, 8.1-RELEASE-p13) 2012-07-24 22:32:03 UTC (RELENG_9, 9.1-PRERELEASE) 2012-08-06 21:33:11 UTC (RELENG_9_0, 9.0-RELEASE-p4) CVE Name: CVE-2012-3817 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. DNS Security Extensions (DNSSEC) provides data integrity, origin authentication and authenticated denial of existence to resolvers. II. Problem Description BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads, when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure. III. Impact A remote attacker that is able to generate high volume of DNSSEC validation enabled queries can trigger the assertion failure that causes it to crash, resulting in a denial of service. IV. Workaround No workaround is available, but systems not running the BIND resolving name server with dnssec-validation enabled are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE, or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, or RELENG_9_0 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 8.3, 8.2, 8.1 and 9.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-12:05/bind.patch # fetch http://security.FreeBSD.org/patches/SA-12:05/bind.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/bind/dns # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE, or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 4) Install and run BIND from the Ports Collection after the correction date. The following versions and newer versions of BIND installed from the Ports Collection are not affected by this vulnerability: bind96-9.6.3.1.ESV.R7.2 bind97-9.7.6.2 bind98-9.8.3.2 bind99-9.9.1.2 VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.11 RELENG_7_4 src/UPDATING 1.507.2.36.2.12 src/sys/conf/newvers.sh 1.72.2.18.2.15 src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.8.2.1 RELENG_8 src/contrib/bind9/CHANGES 1.9.2.15 src/contrib/bind9/lib/dns/resolver.c 1.3.2.6 src/contrib/bind9/lib/dns/zone.c 1.6.2.10 src/contrib/bind9/lib/isc/random.c 1.2.2.4 src/contrib/bind9/version 1.9.2.15 RELENG_8_3 src/UPDATING 1.632.2.26.2.6 src/sys/conf/newvers.sh 1.83.2.15.2.8 src/contrib/bind9/lib/dns/resolver.c 1.6.2.7.2.1 RELENG_8_2 src/UPDATING 1.632.2.19.2.12 src/sys/conf/newvers.sh 1.83.2.12.2.15 src/contrib/bind9/lib/dns/resolver.c 1.6.2.4.2.1 RELENG_8_1 src/UPDATING 1.632.2.14.2.16 src/sys/conf/newvers.sh 1.83.2.10.2.17 src/contrib/bind9/lib/dns/resolver.c 1.6.2.3.2.1 RELENG_9 src/contrib/bind9/CHANGES 1.21.2.5 src/contrib/bind9/lib/dns/resolver.c 1.15.2.3 src/contrib/bind9/lib/dns/zone.c 1.7.2.3 src/contrib/bind9/version 1.21.2.5 RELENG_9_0 src/UPDATING 1.702.2.4.2.6 src/sys/conf/newvers.sh 1.95.2.4.2.8 src/contrib/bind9/lib/dns/resolver.c 1.15.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r239108 releng/7.4/ r239108 stable/8/ r238749 releng/8.3/ r239108 releng/8.2/ r239108 releng/8.1/ r239108 stable/9/ r238756 releng/9.0/ r239108 - ------------------------------------------------------------------------- VII. References https://kb.isc.org/article/AA-00729 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3817 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-12:05.bind.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 iEYEARECAAYFAlAgP6kACgkQFdaIBMps37KLuQCfdF1xHFsD5vgeWKeTfPo1z0UG XN8AnRZQy5itaoFPFALXoDy3ZnZ5qA1t =hvTi -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Tue Aug 7 21:21:35 2012 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CC7191065673 for ; Tue, 7 Aug 2012 21:21:35 +0000 (UTC) (envelope-from deb@freebsdfoundation.org) Received: from aslan.scsiguy.com (aslan.scsiguy.com [70.89.174.89]) by mx1.freebsd.org (Postfix) with ESMTP id 82A3B8FC14 for ; Tue, 7 Aug 2012 21:21:35 +0000 (UTC) Received: from Deb-Goodkins-MacBook-Pro.local (c-71-196-153-166.hsd1.co.comcast.net [71.196.153.166]) (authenticated bits=0) by aslan.scsiguy.com (8.14.5/8.14.5) with ESMTP id q77LLTcS043209 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 7 Aug 2012 15:21:29 -0600 (MDT) (envelope-from deb@freebsdfoundation.org) Message-ID: <502186D3.7020000@freebsdfoundation.org> Date: Tue, 07 Aug 2012 15:21:23 -0600 From: Deb Goodkin User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: freebsd-announce@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (aslan.scsiguy.com [70.89.174.89]); Tue, 07 Aug 2012 15:21:29 -0600 (MDT) X-Mailman-Approved-At: Tue, 07 Aug 2012 22:52:46 +0000 Subject: [FreeBSD-Announce] Accepting Travel Grant Applications for EuroBSDCon 2012 X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Aug 2012 21:21:35 -0000 Calling all FreeBSD developers needing assistance with travel expenses to EuroBSDCon 2012. The FreeBSD Foundation will be providing a limited number of travel grants to individuals requesting assistance. Please fill out and submit the Travel Grant Request Application at http://www.freebsdfoundation.org/documents/TravelRequestForm.pdf by October 19, 2012 to apply for this grant. How it works: This program is open to FreeBSD developers of all sorts (kernel hackers, documentation authors, bugbusters, system administrators, etc). In some cases we are also able to fund non-developers, such as active community members and FreeBSD advocates. (1) You request funding based on a realistic and economical estimate of travel costs (economy airfare, trainfare, ...), accommodations (conference hotel and sharing a room), and registration or tutorial fees. If there are other sponsors willing to cover costs, such as your employer or the conference, we prefer you talk to them first, as our budget is limited. We are happy to split costs with you or another sponsor, such as just covering airfare or board. *If you are a speaker at the conference, we expect the conference to cover your travel costs, and will most likely not approve your direct request to us. * (2) We review your application and if approved, authorize you to seek reimbursement up to a limit. We consider several factors, including our overall and per-event budgets, and (quite importantly) the benefit to the community by funding your travel. Most rejected applications are rejected because of an over-all limit on travel budget for the event or year, due to unrealistic or uneconomical costing, or because there is an unclear or unconvincing argument that funding the applicant will directly benefit the FreeBSD Project. Please take these points into consideration when writing your application. (3) We reimburse costs based on actuals (receipts), and by check or bank transfer. And, we do not cover your costs if you end up having to cancel your trip. We require you to submit a report on your trip, which we may show to current or potential sponsors, post on our blog, and include in our semi-annual newsletter. There's some flexibility in the mechanism, so talk to us if something about the model doesn't quite work for you or if you have any questions. The travel grant program is one of the most effective ways we can spend money to help support the FreeBSD Project, as it helps developers get together in the same place at the same time, and helps advertise and advocate FreeBSD in the larger community. Thank You, The FreeBSD Foundation