On 05/03/2018 05:50, Nagesh Thati wrote: > Hello, > > I have added a servfail-ttl 0; parameter in the named.conf file in the > global section and restarted the named, but named is not coming up and I > don't see any errors printing in the named.log. When I do a > named-checkconf on named.conf it is giving error as UNKNOWN OPTION > servfail-ttl. The version I am using is BIND 9.10.6 stable build. Can > some one help me on this. > Thanks. > > To fix this bug I have added above parameter CVE-2018-5734: A > malformed request can trigger an assertion failure in badcache.c > <https://kb.isc.org/article/AA-01562/0/CVE-2018-5734%3A-A-malformed-request-can-trigger-an-assertion-failure-in-badcache.c.html>
CVE-2018-5734 affects only the editions listed in the security advisory: 9.10.5-S1 to 9.10.5-S4, 9.10.6-S1, and 9.10.6-S2 These are Supported Preview Editions of BIND provided to eligible ISC Support customers, not the same as the ones available for download from our website. Servfail cache was added to BIND Open Source from BIND 9.11 (although it was backported to some of the -S editions as a Supported Preview feature) - see: https://kb.isc.org/article/AA-01310/109/BIND9-Significant-Features-Matrix.html This is why the servfail-ttl option is unknown in 9.10.6. So you're not vulnerable to CVE-2018-5734 - although I see why you might have thought that you are because the -S editions of BIND have a similar version numbering scheme to the regular editions, but with -S appended (it's not often that we have a security issue that affects only those, but it is still necessary to issue an advisory). Hope this clarifies (and also sets your mind at rest)? Cathy _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
