Date: Tue, 14 Jun 2011 16:28:17 -0400 From: jhell <jhell@DataIX.net> To: Royce Williams <royce.williams@acsalaska.net> Cc: security-advisories@freebsd.org, freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-11:02.bind Message-ID: <20110614202817.GA81719@DataIX.net> In-Reply-To: <4DF79534.6060507@acsalaska.net> References: <201105280928.p4S9SxXg051018@freefall.freebsd.org> <4DF79534.6060507@acsalaska.net>
next in thread | previous in thread | raw e-mail | index | archive | help
What are you talking about! "thats great!" this is an advisory not a discussion of what you use. On Tue, Jun 14, 2011 at 09:07:00AM -0800, Royce Williams wrote: > Patched for modern BSD boxes. > > No customer impact, as this is patching the OS version of BIND, which is > not currently directly facing any external querying. > > > Royce > > FreeBSD Security Advisories wrote, on 5/28/2011 1:28 AM: > > ============================================================================= > > FreeBSD-SA-11:02.bind Security Advisory > > The FreeBSD Project > > > > Topic: BIND remote DoS with large RRSIG RRsets and negative caching > > > > Category: contrib > > Module: bind > > Announced: 2011-05-28 > > Credits: Frank Kloeker, Michael Sinatra. > > Affects: All supported versions of FreeBSD. > > Corrected: 2011-05-28 00:58:19 UTC (RELENG_7, 7.4-STABLE) > > 2011-05-28 08:44:39 UTC (RELENG_7_3, 7.3-RELEASE-p6) > > 2011-05-28 08:44:39 UTC (RELENG_7_4, 7.4-RELEASE-p2) > > 2011-05-28 00:33:06 UTC (RELENG_8, 8.2-STABLE) > > 2011-05-28 08:44:39 UTC (RELENG_8_1, 8.1-RELEASE-p4) > > 2011-05-28 08:44:39 UTC (RELENG_8_2, 8.2-RELEASE-p2) > > CVE Name: CVE-2011-1910 > > > > For general information regarding FreeBSD Security Advisories, > > including descriptions of the fields above, security branches, and the > > following sections, please visit <URL:http://security.FreeBSD.org/>. > > > > I. Background > > > > BIND 9 is an implementation of the Domain Name System (DNS) protocols. > > The named(8) daemon is an Internet Domain Name Server. > > > > DNS Security Extensions (DNSSEC) provides data integrity, origin > > authentication and authenticated denial of existence to resolvers. > > > > II. Problem Description > > > > Very large RRSIG RRsets included in a negative response can trigger > > an assertion failure that will crash named(8) due to an off-by-one error > > in a buffer size check. > > > > III. Impact > > > > If named(8) is being used as a recursive resolver, an attacker who > > controls a DNS zone being resolved can cause named(8) to crash, > > resulting in a denial of (DNS resolving) service. > > > > DNSSEC does not need to be enabled on the resolver for it to be > > vulnerable. > > > > IV. Workaround > > > > No workaround is available, but systems not running the BIND DNS server > > or using it exclusively as an authoritative name server (i.e., not as a > > caching resolver) are not vulnerable. > > > > V. Solution > > > > Perform one of the following: > > > > 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, > > or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 > > security branch dated after the correction date. > > > > 2) To update your vulnerable system via a source code patch: > > > > The following patches have been verified to apply to FreeBSD > > 7.3, 7.4, 8.1 and 8.2 systems. > > > > a) Download the relevant patch from the location below, and verify the > > detached PGP signature using your PGP utility. > > > > # fetch http://security.FreeBSD.org/patches/SA-11:02/bind.patch > > # fetch http://security.FreeBSD.org/patches/SA-11:02/bind.patch.asc > > > > b) Execute the following commands as root: > > > > # cd /usr/src > > # patch < /path/to/patch > > # cd /usr/src/lib/bind > > # make obj && make depend && make && make install > > # cd /usr/src/usr.sbin/named > > # make obj && make depend && make && make install > > # /etc/rc.d/named restart > > > > 3) To update your vulnerable system via a binary patch: > > > > Systems running 7.3-RELEASE, 7.4-RELEASE, 8.1-RELEASE, or 8.2-RELEASE > > on the i386 or amd64 platforms can be updated via the freebsd-update(8) > > utility: > > > > # freebsd-update fetch > > # freebsd-update install > > > > VI. Correction details > > > > The following list contains the revision numbers of each file that was > > corrected in FreeBSD. > > > > CVS: > > > > Branch Revision > > Path > > ------------------------------------------------------------------------- > > RELENG_7 > > src/contrib/bind9/lib/dns/ncache.c 1.1.1.2.2.3 > > RELENG_7_4 > > src/UPDATING 1.507.2.36.2.4 > > src/sys/conf/newvers.sh 1.72.2.18.2.7 > > src/contrib/bind9/lib/dns/ncache.c 1.1.1.2.2.2.2.1 > > RELENG_7_3 > > src/UPDATING 1.507.2.34.2.8 > > src/sys/conf/newvers.sh 1.72.2.16.2.10 > > src/contrib/bind9/lib/dns/ncache.c 1.1.1.2.10.1 > > RELENG_8 > > src/contrib/bind9/lib/dns/ncache.c 1.2.2.4 > > RELENG_8_2 > > src/UPDATING 1.632.2.19.2.4 > > src/sys/conf/newvers.sh 1.83.2.12.2.7 > > src/contrib/bind9/lib/dns/ncache.c 1.2.2.2.2.1 > > RELENG_8_1 > > src/UPDATING 1.632.2.14.2.7 > > src/sys/conf/newvers.sh 1.83.2.10.2.8 > > src/contrib/bind9/lib/dns/ncache.c 1.2.2.1.2.1 > > ------------------------------------------------------------------------- > > > > Subversion: > > > > Branch/path Revision > > ------------------------------------------------------------------------- > > stable/7/ r222399 > > releng/7.4/ r222416 > > releng/7.3/ r222416 > > stable/8/ r222396 > > releng/8.2/ r222416 > > releng/8.1/ r222416 > > head/ r222395 > > ------------------------------------------------------------------------- > > > > VII. References > > > > http://www.isc.org/software/bind/advisories/cve-2011-1910 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910 > > > > The latest revision of this advisory is available at > > http://security.FreeBSD.org/advisories/FreeBSD-SA-11:02.bind.asc > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110614202817.GA81719>