Date: Thu, 2 Jun 2011 23:46:51 GMT From: Ryan Steinmetz <rpsfa@rit.edu> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/157548: [vuxml] BIND CVE-2011-1910 Message-ID: <201106022346.p52NkpJt002624@red.freebsd.org> Resent-Message-ID: <201106022350.p52No5kr012810@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 157548 >Category: misc >Synopsis: [vuxml] BIND CVE-2011-1910 >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Jun 02 23:50:05 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Ryan Steinmetz >Release: 8.2-RELEASE >Organization: Rochester Institute of Technology >Environment: >Description: CVE-2011-1910 http://www.isc.org/software/bind/advisories/cve-2011-1910 http://security.freebsd.org/advisories/FreeBSD-SA-11:02.bind.asc >How-To-Repeat: >Fix: Patch attached with submission follows: --- /tmp/vuln.xml 2011-06-02 16:50:35.000000000 -0400 +++ vuln.xml 2011-06-02 19:43:37.000000000 -0400 @@ -34,6 +34,53 @@ --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="1e1421f0-8d6f-11e0-89b4-001ec9578670"> + <topic>BIND -- Large RRSIG RRsets and Negative Caching DoS</topic> + <affects> + <package> + <name>bind9-sdb-ldap</name> + <name>bind9-sdb-postgresql</name> + <range><lt>9.4.3.4</lt></range> + </package> + <package> + <name>bind96</name> + <range><lt>9.6.3.1.ESV.R4.1</lt></range> + </package> + <package> + <name>bind97</name> + <range><lt>9.7.3.1</lt></range> + </package> + <package> + <name>bind98</name> + <range><lt>9.8.0.2</lt></range> + </package> + <system> + <name>FreeBSD</name> + <range><gt>7.3</gt><lt>7.3_6</lt></range> + <range><gt>7.4</gt><lt>7.4_2</lt></range> + <range><gt>8.1</gt><lt>8.1_4</lt></range> + <range><gt>8.2</gt><lt>8.2_2</lt></range> + </system> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>ISC reports:</p> + <blockquote cite="http://www.isc.org/software/bind/advisories/cve-2011-1910">; + <p>A BIND 9 DNS server set up to be a caching resolver is vulnerable to a user querying a domain with very large resource record sets (RRSets) when trying to negatively cache a response. This can cause the BIND 9 DNS server (named process) to crash.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2011-1910</cvename> + <freebsdsa>SA-11:02.bind</freebsdsa> + <url>http://www.isc.org/software/bind/advisories/cve-2011-1910</url>; + </references> + <dates> + <discovery>2011-06-26</discovery> + <entry>2011-06-02</entry> + </dates> + </vuln> + <vuln vid="34ce5817-8d56-11e0-b5a2-6c626dd55a41"> <topic>asterisk -- Remote crash vulnerability</topic> <affects> >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201106022346.p52NkpJt002624>