Date: Wed, 25 Feb 2015 07:36:38 +0000 From: Bartek Rutkowski <robak@freebsd.org> To: freebsd-security <freebsd-security@freebsd.org> Cc: so@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:05.bind Message-ID: <CAHcXP%2BcSUNVtkZWKQJb_ux5v=BLYnBmUhFO44AyishssMQWdBw@mail.gmail.com> In-Reply-To: <201502250629.t1P6TSid007902@freefall.freebsd.org> References: <201502250629.t1P6TSid007902@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 25, 2015 at 6:29 AM, FreeBSD Security Advisories <security-advisories@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-15:05.bind Security Advisory > The FreeBSD Project > > Topic: BIND remote denial of service vulnerability > > Category: contrib > Module: bind > Announced: 2015-02-25 > Credits: ISC > Affects: FreeBSD 8.x and FreeBSD 9.x. > Corrected: 2015-02-18 22:20:19 UTC (stable/9, 9.3-STABLE) > 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10) > 2015-02-18 22:29:52 UTC (stable/8, 8.4-STABLE) > 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24) > CVE Name: CVE-2015-1349 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:https://security.FreeBSD.org/>. > > I. Background > > BIND 9 is an implementation of the Domain Name System (DNS) protocols. > The named(8) daemon is an Internet Domain Name Server. > > II. Problem Description > > BIND servers which are configured to perform DNSSEC validation and which > are using managed keys (which occurs implicitly when using > "dnssec-validation auto;" or "dnssec-lookaside auto;") may exhibit > unpredictable behavior due to the use of an improperly initialized > variable. > > III. Impact > > A remote attacker can trigger a crash of a name server that is configured > to use managed keys under specific and limited circumstances. However, > the complexity of the attack is very high unless the attacker has a > specific network relationship to the BIND server which is targeted. > > IV. Workaround > > Only systems that runs BIND, including recursive resolvers and authoritative > servers that performs DNSSEC validation and using managed-keys are affected. > > This issue can be worked around by not using "auto" for the dnssec-validation > or dnssec-lookaside options and do not configure a managed-keys statement. > Note that in order to do DNSSEC validation with this workaround one would > have to configure an explicit trusted-keys statement with the appropriate > keys. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > 2) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > Seems like freebsd-update is throwing some error: root@04-dev:~ # freebsd-update install Installing updates...install: ///usr/src/crypto/openssl/util/mkbuildinf.pl: No such file or directory done. root@04-dev:~ # uname -a FreeBSD 04-dev 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #0: Tue Jan 27 08:55:07 UTC 2015 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 Anything to worry about? Kind regards, Bartek Rutkowski
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHcXP%2BcSUNVtkZWKQJb_ux5v=BLYnBmUhFO44AyishssMQWdBw>