[LUG] [Fwd: Internet Systems Consortium Security Advisory.]

Fri, 08 Sep 2006 04:48:20 -0700 

Apologies for any cross posting ....



---------------------------- Original Message ----------------------------
Subject: Internet Systems Consortium Security Advisory.
From:    "Mark Andrews" <[EMAIL PROTECTED]>
Date:    Wed, September 6, 2006 2:36 am
To:
--------------------------------------------------------------------------


                Internet Systems Consortium Security Advisory.
                   BIND 9: Multiple DoS vulnerabilities
                            5 September 2006

Versions affected:
        BIND 9.3.0, BIND 9.3.1, BIND 9.3.2, BIND 9.3.3b1 and BIND 9.3.3rc1
        BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6 and
             9.4.0b1.
        See note for BIND 9.2.x
Severity: HIGH
Exploitable: Remotely
Type: DoS

SIG Query Processing (CVE-2006-4095):

        Recursive servers:

        Queries for SIG records will trigger a assertion failure if
        more than one SIG(covered) RRset is returned.

        Exposure can be minimized by restricting sources that can
        ask for recursion.

        Authoritative servers:

        If a nameserver is serving a RFC 2535 DNSSEC zone and is
        queried for the SIG records where the are multiple SIG(covered)
        RRsets (e.g. a zone apex) then named will trigger a assertion
        failure when it trys to construct the response.

Excessive Recursive Queries INSIST failure (CVE-2006-4096):

        It is possible to trigger a INSIST failure by sending enough
        recursive queries that the response to the query arrives after
        all the clients looking for the response have left the recursion
        queue.

        Exposure can be minimized by restricting sources that can
        ask for recursion.

        Note for BIND 9.2.x:
        Code handling this path for 9.2.x has been determined to be wrong,
        though ISC has not been able to detect an execution path that would
        trigger the erroneous code in 9.2.x.
        Nonetheless a patch is provided.

Fix:
        Upgrade to BIND 9.4.0b2, BIND 9.3.3rc2, BIND 9.3.2-P1, BIND 9.2.7rc1
        or BIND 9.2.6-P1 (or later).

        These can be found via: http://www.isc.org/sw/bind/






regards



_______________________________________________
LUG mailing list
[email protected]
http://kym.net/mailman/listinfo/lug
%LUG is generously hosted by INFOCOM http://www.infocom.co.ug/

The above comments and data are owned by whoever posted them (including 
attachments if any). The List's Host is not responsible for them in any way.
---------------------------------------

Reply via email to