From owner-freebsd-security@FreeBSD.ORG Wed Feb 25 07:36:42 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 93287563; Wed, 25 Feb 2015 07:36:42 +0000 (UTC) Received: from mail-qa0-x231.google.com (mail-qa0-x231.google.com [IPv6:2607:f8b0:400d:c00::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2C5A88C0; Wed, 25 Feb 2015 07:36:39 +0000 (UTC) Received: by mail-qa0-f49.google.com with SMTP id w8so1510517qac.8; Tue, 24 Feb 2015 23:36:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=hlaIsTkpj8MRCQLLMVeTwRr/G9IFsBKTJH2KkHvvbiQ=; b=iBofMAqIvgH+SYKnmTN7C+n+blqb7bcHXzBmV+lh3lh7oWns3T3S6q4kluqSqAOVOP amlUwUZN6AHYtBxzKoxH2EtEE5x7kWmocjXmnw6cJUuN7NEoJKJ2RnTz25wsnZUvcHHX Wbk3eByXu/Q5FjOCEYIl8/wg9iAz1GfACMeK3GygyaaZxgjatLYxZSa7d+6G2Q3f3K8v Fb63lkP8FQoISp4fVLtYg+fL5OSsb28rlJkhjXaNvfxWfweq+bVaadnrZ54e0RYzgbVy 0I+1m52A9ahiFRFILzJAiwtAc5l2ogDLMv7KXER++mbiPpmdsyNiTYi4SxSNngxhZEWv WCJQ== MIME-Version: 1.0 X-Received: by 10.140.41.169 with SMTP id z38mr4115958qgz.56.1424849798264; Tue, 24 Feb 2015 23:36:38 -0800 (PST) Sender: spankthespam@gmail.com Received: by 10.229.131.204 with HTTP; Tue, 24 Feb 2015 23:36:38 -0800 (PST) In-Reply-To: <201502250629.t1P6TSid007902@freefall.freebsd.org> References: <201502250629.t1P6TSid007902@freefall.freebsd.org> Date: Wed, 25 Feb 2015 07:36:38 +0000 X-Google-Sender-Auth: zrn-dH3SAy-dFqSeJiYZ1DrQE2s Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:05.bind From: Bartek Rutkowski To: freebsd-security Content-Type: text/plain; charset=UTF-8 Cc: so@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 07:36:42 -0000 On Wed, Feb 25, 2015 at 6:29 AM, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-15:05.bind Security Advisory > The FreeBSD Project > > Topic: BIND remote denial of service vulnerability > > Category: contrib > Module: bind > Announced: 2015-02-25 > Credits: ISC > Affects: FreeBSD 8.x and FreeBSD 9.x. > Corrected: 2015-02-18 22:20:19 UTC (stable/9, 9.3-STABLE) > 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10) > 2015-02-18 22:29:52 UTC (stable/8, 8.4-STABLE) > 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24) > CVE Name: CVE-2015-1349 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > BIND 9 is an implementation of the Domain Name System (DNS) protocols. > The named(8) daemon is an Internet Domain Name Server. > > II. Problem Description > > BIND servers which are configured to perform DNSSEC validation and which > are using managed keys (which occurs implicitly when using > "dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit > unpredictable behavior due to the use of an improperly initialized > variable. > > III. Impact > > A remote attacker can trigger a crash of a name server that is configured > to use managed keys under specific and limited circumstances. However, > the complexity of the attack is very high unless the attacker has a > specific network relationship to the BIND server which is targeted. > > IV. Workaround > > Only systems that runs BIND, including recursive resolvers and authoritative > servers that performs DNSSEC validation and using managed-keys are affected. > > This issue can be worked around by not using "auto" for the dnssec-validation > or dnssec-lookaside options and do not configure a managed-keys statement. > Note that in order to do DNSSEC validation with this workaround one would > have to configure an explicit trusted-keys statement with the appropriate > keys. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > 2) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > Seems like freebsd-update is throwing some error: root@04-dev:~ # freebsd-update install Installing updates...install: ///usr/src/crypto/openssl/util/mkbuildinf.pl: No such file or directory done. root@04-dev:~ # uname -a FreeBSD 04-dev 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #0: Tue Jan 27 08:55:07 UTC 2015 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 Anything to worry about? Kind regards, Bartek Rutkowski