-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2011-009 ================================= Topic: BIND resolver DoS Version: NetBSD-current: affected prior to 20111116 NetBSD 5.1: affected prior to 20111118 NetBSD 5.0: affected prior to 20111118 NetBSD 4.0.*: affected prior to 20111120 NetBSD 4.0: affected prior to 20111120 pkgsrc: net/bind96, net/bind97 and net/bind98 packages prior to 20111116 Severity: Denial of Service Fixed: NetBSD-current: Nov 16th, 2011 NetBSD-5-1 branch: Nov 18th, 2011 NetBSD-5-0 branch: Nov 18th, 2011 NetBSD-5 branch: Nov 18th, 2011 NetBSD-4-0 branch: Nov 20th, 2011 NetBSD-4 branch: Nov 20th, 2011 pkgsrc net/bind96: bind-9.6.3.1.ESV.5pl1 mitigates this issue pkgsrc net/bind97: bind-9.7.4pl1 mitigates this issue pkgsrc net/bind98: bind-9.8.1pl1 mitigates this issue Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Resolvers crash after logging: "INSIST(! dns_rdataset_isassociated(sigrdataset))" This vulnerability has been assigned CVE-2011-4313. Technical Details ================= An accidential operational error exposed a previously unknown bug in BIND that could be exploited intentionally: Unpatched BIND 9 resolvers may cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC provided a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit. The patch has two components. When a client query is handled, the code which processes the response to the client has to ask the cache for the records for the name that is being queried. The first component of the patch prevents the cache from returning the inconsistent data. The second component prevents named from crashing if it detects that it has been given an inconsistent answer of this nature. Solutions and Workarounds ========================= We suggest fixing this vulnerability by using the current net/bind98 or net/bind97 pkgsrc package instead of the in-system bind until the entire system can be updated (eg to the next security/critical release, or a binary snapshot from http://nyftp.netbsd.org/pub/NetBSD-daily/ from past the fix date). Thanks To ========= Thanks to the Internet Systems Consortium for reporting this vulnerability and providing fixed versions. Revision History ================ 2011-12-15 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-009.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2011-009.txt,v 1.1 2011/12/15 13:52:31 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (NetBSD) iQIcBAEBAgAGBQJO6f//AAoJEAZJc6xMSnBuNrAQANaJI5xwWXvyOocYWijvw+DH kZbudh1rDAtd6IXjJTsxyGty0bKcDVzXtn0pal5MaClViFaXMCPkBjSWXwbY5rXJ OXiqqllj29DK/I1yzEbOtEYx4sAWD8kpK1d+OdqwmPtJcUoK8zGJi2K707o/kPFo vWGtvUmrbznZ8PJHuMiDJCw53nqGddOl3e9SqegITPdpNdQirIgVOTNded84nXQ8 aRlAIVF7fMzZQ+WhI8FJParheCG3J9mtk8fSNCy2wYgXPsBlcMHXF5i7OnsW83bt Iby8h0Z65x3fq8LGT1Vg0YVYWQAFJVJcYvKlJFSxG8565CBm+lRex1tyEqPmmcdU 2LM9+rEzak7Ag4E8GVCNN3sIUIjdyoDjHwQODfdIjFc74g79r8XxNXHIHBqg8dG0 pYuELdj+7w+HTxG+JhqCtbqTWFq0rsVIVQHtTB4S3Z91o63OQybIqlNzA0ElliSO KL9AP0sEPfpoU3CvLJ1dmPQaU+OOiMjJg/chDuU1TmjQvVt3lijyfTGjcO8yWU+p W6GxiS5SPenxA9JIql2RdPx1AS9QTZ05R68ob8sPiY8mckZcCdgK+QxRsfVEgv3s o6eGVonmrf4QXuFDBm+Szm/RxY+v68AE3ohKTtwMq9KkLHfVzdoN3HoKwuoOyk3b VydWKh9yDn89/nv75Kun =1DiA -----END PGP SIGNATURE-----