-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ISC has updated CVE 2010-3613 and the associated operational guidance based on feedback from one of our forum members. The update changes affected versions to include versions of BIND 9 back to 9.0.x. Please review carefully and respond appropriately if you are running an affected version.
Best Regards, Larissa Larissa Shapiro ISC Product Manager - ---------------------------------------------------------------------- Updated CVE: BIND: cache incorrectly allows a ncache entry and a rrsig for the same type Summary: Failure to clear existing RRSIG records when a NO DATA is negatively cached could cause subsequent lookups to crash named. CVE: CVE-2010-3613 CERT: VU#706148 Posting date: 01 Dec 2010 Revision: 14 December 2010 Program Impacted: BIND Versions affected: 9.0.x to 9.7.2-P2, 9.4-ESV to 9.4-ESV-R3, 9.6-ESV to 9.6-ESV-R2 Severity: High Exploitable: remotely Description: Adding certain types of negative signed responses to cache doesn't clear any matching RRSIG records already in cache. A subsequent lookup of the cached data can cause named to crash (INSIST). CVSS Base Score: 7.8 - (AV:N/AC:L/Au:N/C:N/I:N/A:C) For more on CVSS scores and to calculate your environment's specific risk, please visit: http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C) Impact and Risk Assessment: The INSIST crashes the server. This vulnerability affects recursive nameservers irrespective of whether DNSSEC validation is enabled or disabled. Workarounds: none Active exploits: None known at this time. Solution: The versions listed below are supported by ISC. All other versions are End of Life, and will not be patched. If you are running a version not listed below, you should upgrade as soon as possible. 9.4.x: upgrade to 9.4-ESV-R4, or newer 9.6.x: upgrade to 9.6.2-P3 or newer 9.6-ESV: upgrade to 9.6-ESV-R3 or newer 9.7.x: upgrade to 9.7.2-P3 Acknowledgment: Shinichi Furuso Revision History: 24 November 2010: Corrected/Updated: Versions affected, CVSS Score, Impact, Risk Assessment and Solution 14 December 2010: Updated Versions Affected, Solution and Acknowledgment For more information please contact bind9-b...@isc.org - ----------------------------------------------------------------------------------- Updated Guidance Text: CVE: CVE-2010-3613 CERT: VU#706148 BIND: cache incorrectly allows a ncache entry and a rrsig for the same type Although the defect is very unlikely to be encountered in normal> operation, if your recursive resolver is being used to query public Internet zones and you cannot readily restrict your client queries then there is the potential for a remote attacker to cause your nameserver to crash. Note particularly that disabling DNSSEC validation is NOT an effective workaround. * We recommend that you plan to upgrade immediately if ALL of the following apply to your BIND installation: a) You are operating a recursive server which obtains answers from public Internet zones. b) You are running any version of BIND 9 including or prior to: 9.6.2 - 9.6.2-P2, 9.4-ESV - 9.6-ESV-R2, 9.7.0 - 9.7.2-P2 c) The DNS clients accessing your resolver constitute a large pool and are not under you control or you can not limit access only to machines with full trust. * We suggest that you put this upgrade in your plans for 2011 if you are not operating recursive DNS servers. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNB5RCAAoJEBOIp87tasiUZcMH/jFqkwCA1QBj8utQ13690aIF VIGZfDAriYyFx/nUxu0B67ZbTKcjWxbPr1MBlPKh911Hy7ZmPRYAsu3YWPFLsUTd +zzoKI7u3T8jrSp9TdgKdjzJPJIhOTABJoUNoZaJIjVM3VhUN0ha/RupGDXNz8tB J7nv0q8AiTOZlWFOGP8LzLxCI7SQxevmNBmaeOVbvrNJt8Bla4MMQhJss01qxmBa aq5FXPFZ9BQKHIZacspbeVrKjtOW1nU0FVZHBUwVK3CbnYGTAW9vVvVo3qBcb5vT h0rRHoa5R8QQfG4mVHmreZIBdpRs/3BtXUAGhnN0a3KVR2QQl7wOFDkXSYhKi64= =WvDz -----END PGP SIGNATURE----- _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users