Bug#693016: bind9: CVE-2012-4244 - A specially crafted Resource Record could cause named to terminate

Sun, 11 Nov 2012 19:21:14 -0800 

Package: bind9
Version: 1:9.8.1.dfsg.P1-4.3
Severity: normal
Tags: upstream

Dear Maintainer,

This is a remote DoS exploit on a recursive servers, or authorative
servers if RR loaded from file or via zone transfer.

Quoting https://kb.isc.org/article/AA-00778/74

"If a record with RDATA in excess of 65535 bytes is loaded into a
nameserver, a subsequent query for that record will cause named to exit
with an assertion failure."

Fixed in package bind9_9.8.4.dfsg-1 uploaded to unstable.

It's not practical to reliably backport a fix for this.  ISC have
markedly changed data structures and flags to fix other bugs, making
patching risky.  They do not provide access to their VCS.  9.8.4 is
bug fixed upstream version of 9.8.1

Rational for bind9_9.8.4.dfsg-1 package is to make bug fixing wheezy
bind9 easier/more reliable once released.

Please upgrade wheezy bind9 to 9.8.4.dfsg-1

I am a DDwith a C network router programming background, and am
currently working on an ISP DNS system, and have evaluated patchability
for other CVEs, and found too much of a risk of introducing other bugs
when using patches from other ISC versions of bind9 like 9.6ESRV.

Best Regards,

Matthew Grant

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bind9 depends on:
ii  adduser                3.113+nmu3
ii  bind9utils             1:9.8.1.dfsg.P1-4.3
ii  debconf [debconf-2.0]  1.5.46
ii  libbind9-80            1:9.8.1.dfsg.P1-4.3
ii  libc6                  2.13-35
ii  libcap2                1:2.22-1.2
ii  libdns81               1:9.8.1.dfsg.P1-4.3
ii  libgssapi-krb5-2       1.10.1+dfsg-2
ii  libisc83               1:9.8.1.dfsg.P1-4.3
ii  libisccc80             1:9.8.1.dfsg.P1-4.3
ii  libisccfg82            1:9.8.1.dfsg.P1-4.3
ii  liblwres80             1:9.8.1.dfsg.P1-4.3
ii  libssl1.0.0            1.0.1c-4
ii  lsb-base               4.1+Debian7
ii  net-tools              1.60-24.2
ii  netbase                5.0

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind9-doc   <none>
ii  dnsutils    1:9.8.1.dfsg.P1-4.3
pn  resolvconf  <none>
pn  ufw         <none>

-- Configuration Files:
/etc/bind/named.conf.local changed [not included]

-- debconf information excluded


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to