From owner-freebsd-security@FreeBSD.ORG Tue Jun 14 20:53:29 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 57FD81065675; Tue, 14 Jun 2011 20:53:29 +0000 (UTC) (envelope-from cmdlnkid@gmail.com) Received: from mail-pv0-f182.google.com (mail-pv0-f182.google.com [74.125.83.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0FF988FC26; Tue, 14 Jun 2011 20:53:28 +0000 (UTC) Received: by pvg11 with SMTP id 11so3641184pvg.13 for ; Tue, 14 Jun 2011 13:53:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to; bh=J2VpYhzjVuk1Qd/k4LGoqcME3SkO3x2XR+Nd7lXRWug=; b=MgQUD6WlUBNMM3px/4N2G9z1TmgiJBUsEKPVTfpCNqMUgMJhdgIHG3rq9QCwnWUvHn UDiC3xsYKg6H7JgEEgwOrzrmTUp5NqVMQohBVIrGWbPVR7TIdjSmmmzlrH9DAnUheMN7 T0SUQd4Txm/VbaMVmKEEMyTMC18bDZjMerjww= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; b=sSBUNFAyoEipf9ImtO7PN04gD7P97MhLwlgGWvgbKMVVvedLEp+CbrPtyln9ZwxvOA JH1rtRUjMKWIGWzDNZtA0y0JfKAxjP9AmcpMqfwNlO69v8rZr2HMYrUNEw5OmuKgXdI2 JaQVW+rVRk3juhokTMcL8fbuclxkwc4FyOIuw= Received: by 10.142.2.22 with SMTP id 22mr1499782wfb.114.1308083304637; Tue, 14 Jun 2011 13:28:24 -0700 (PDT) Received: from DataIX.net ([99.181.139.216]) by mx.google.com with ESMTPS id k4sm5832639pbl.43.2011.06.14.13.28.21 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 14 Jun 2011 13:28:23 -0700 (PDT) Sender: The Command Line Kid Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p5EKSIh6082577 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 14 Jun 2011 16:28:18 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p5EKSHLo082576; Tue, 14 Jun 2011 16:28:17 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Tue, 14 Jun 2011 16:28:17 -0400 From: jhell To: Royce Williams Message-ID: <20110614202817.GA81719@DataIX.net> References: <201105280928.p4S9SxXg051018@freefall.freebsd.org> <4DF79534.6060507@acsalaska.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4DF79534.6060507@acsalaska.net> Cc: security-advisories@freebsd.org, freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-11:02.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jun 2011 20:53:29 -0000 What are you talking about! "thats great!" this is an advisory not a discussion of what you use. On Tue, Jun 14, 2011 at 09:07:00AM -0800, Royce Williams wrote: > Patched for modern BSD boxes. > > No customer impact, as this is patching the OS version of BIND, which is > not currently directly facing any external querying. > > > Royce > > FreeBSD Security Advisories wrote, on 5/28/2011 1:28 AM: > > ============================================================================= > > FreeBSD-SA-11:02.bind Security Advisory > > The FreeBSD Project > > > > Topic: BIND remote DoS with large RRSIG RRsets and negative caching > > > > Category: contrib > > Module: bind > > Announced: 2011-05-28 > > Credits: Frank Kloeker, Michael Sinatra. > > Affects: All supported versions of FreeBSD. > > Corrected: 2011-05-28 00:58:19 UTC (RELENG_7, 7.4-STABLE) > > 2011-05-28 08:44:39 UTC (RELENG_7_3, 7.3-RELEASE-p6) > > 2011-05-28 08:44:39 UTC (RELENG_7_4, 7.4-RELEASE-p2) > > 2011-05-28 00:33:06 UTC (RELENG_8, 8.2-STABLE) > > 2011-05-28 08:44:39 UTC (RELENG_8_1, 8.1-RELEASE-p4) > > 2011-05-28 08:44:39 UTC (RELENG_8_2, 8.2-RELEASE-p2) > > CVE Name: CVE-2011-1910 > > > > For general information regarding FreeBSD Security Advisories, > > including descriptions of the fields above, security branches, and the > > following sections, please visit . > > > > I. Background > > > > BIND 9 is an implementation of the Domain Name System (DNS) protocols. > > The named(8) daemon is an Internet Domain Name Server. > > > > DNS Security Extensions (DNSSEC) provides data integrity, origin > > authentication and authenticated denial of existence to resolvers. > > > > II. Problem Description > > > > Very large RRSIG RRsets included in a negative response can trigger > > an assertion failure that will crash named(8) due to an off-by-one error > > in a buffer size check. > > > > III. Impact > > > > If named(8) is being used as a recursive resolver, an attacker who > > controls a DNS zone being resolved can cause named(8) to crash, > > resulting in a denial of (DNS resolving) service. > > > > DNSSEC does not need to be enabled on the resolver for it to be > > vulnerable. > > > > IV. Workaround > > > > No workaround is available, but systems not running the BIND DNS server > > or using it exclusively as an authoritative name server (i.e., not as a > > caching resolver) are not vulnerable. > > > > V. Solution > > > > Perform one of the following: > > > > 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, > > or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 > > security branch dated after the correction date. > > > > 2) To update your vulnerable system via a source code patch: > > > > The following patches have been verified to apply to FreeBSD > > 7.3, 7.4, 8.1 and 8.2 systems. > > > > a) Download the relevant patch from the location below, and verify the > > detached PGP signature using your PGP utility. > > > > # fetch http://security.FreeBSD.org/patches/SA-11:02/bind.patch > > # fetch http://security.FreeBSD.org/patches/SA-11:02/bind.patch.asc > > > > b) Execute the following commands as root: > > > > # cd /usr/src > > # patch < /path/to/patch > > # cd /usr/src/lib/bind > > # make obj && make depend && make && make install > > # cd /usr/src/usr.sbin/named > > # make obj && make depend && make && make install > > # /etc/rc.d/named restart > > > > 3) To update your vulnerable system via a binary patch: > > > > Systems running 7.3-RELEASE, 7.4-RELEASE, 8.1-RELEASE, or 8.2-RELEASE > > on the i386 or amd64 platforms can be updated via the freebsd-update(8) > > utility: > > > > # freebsd-update fetch > > # freebsd-update install > > > > VI. Correction details > > > > The following list contains the revision numbers of each file that was > > corrected in FreeBSD. > > > > CVS: > > > > Branch Revision > > Path > > ------------------------------------------------------------------------- > > RELENG_7 > > src/contrib/bind9/lib/dns/ncache.c 1.1.1.2.2.3 > > RELENG_7_4 > > src/UPDATING 1.507.2.36.2.4 > > src/sys/conf/newvers.sh 1.72.2.18.2.7 > > src/contrib/bind9/lib/dns/ncache.c 1.1.1.2.2.2.2.1 > > RELENG_7_3 > > src/UPDATING 1.507.2.34.2.8 > > src/sys/conf/newvers.sh 1.72.2.16.2.10 > > src/contrib/bind9/lib/dns/ncache.c 1.1.1.2.10.1 > > RELENG_8 > > src/contrib/bind9/lib/dns/ncache.c 1.2.2.4 > > RELENG_8_2 > > src/UPDATING 1.632.2.19.2.4 > > src/sys/conf/newvers.sh 1.83.2.12.2.7 > > src/contrib/bind9/lib/dns/ncache.c 1.2.2.2.2.1 > > RELENG_8_1 > > src/UPDATING 1.632.2.14.2.7 > > src/sys/conf/newvers.sh 1.83.2.10.2.8 > > src/contrib/bind9/lib/dns/ncache.c 1.2.2.1.2.1 > > ------------------------------------------------------------------------- > > > > Subversion: > > > > Branch/path Revision > > ------------------------------------------------------------------------- > > stable/7/ r222399 > > releng/7.4/ r222416 > > releng/7.3/ r222416 > > stable/8/ r222396 > > releng/8.2/ r222416 > > releng/8.1/ r222416 > > head/ r222395 > > ------------------------------------------------------------------------- > > > > VII. References > > > > http://www.isc.org/software/bind/advisories/cve-2011-1910 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910 > > > > The latest revision of this advisory is available at > > http://security.FreeBSD.org/advisories/FreeBSD-SA-11:02.bind.asc > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"