I’ll have a patch for platforms without atomic support for you. -- Ondřej Surý <ond...@sury.org>
> On 25 Apr 2019, at 08:49, Bernhard Schmidt <be...@debian.org> wrote: > > Package: src:bind9 > Severity: grave > Tags: security, upstream > > CVE: CVE-2018-5743 > Document version: 2.0 > Posting date: 24 April 2019 > Program impacted: BIND > Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, > 9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported Preview > Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5. > Versions 9.13.0 -> 9.13.7 of the 9.13 development branch > are also affected. Versions prior to BIND 9.9.0 have not > been evaluated for vulnerability to CVE-2018-5743. > Severity: High > Exploitable: Remotely > > Description: > > By design, BIND is intended to limit the number of TCP clients > that can be connected at any given time. The number of allowed > connections is a tunable parameter which, if unset, defaults to > a conservative value for most servers. Unfortunately, the code > which was intended to limit the number of simultaneous connections > contains an error which can be exploited to grow the number of > simultaneous connections beyond this limit. > > Impact: > > By exploiting the failure to limit simultaneous TCP connections, > an attacker can deliberately exhaust the pool of file descriptors > available to named, potentially affecting network connections > and the management of files such as log files or zone journal > files. > > In cases where the named process is not limited by OS-enforced > per-process limits, this could additionally potentially lead to > exhaustion of all available free file descriptors on that system. > > CVSS Score: 7.5 > CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H > > For more information on the Common Vulnerability Scoring System and > to obtain your specific environmental score please visit: > https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. > > Workarounds: > > None. > > Active exploits: > > No known deliberate exploits, but the situation may occur > accidentally on busy servers. > > It is possible for operators to mistakenly believe that their > configured (or default) limit is sufficient for their typical > operations, when in fact it is not. Following an upgrade to a > version that effectively applies limits, named may deny connections > which were previously improperly permitted. Operators can monitor > their logs for rejected connections, keep an eye on "rndc status" > reports of simultaneous connections, or use other tools to monitor > whether the now-effective limits are causing problems for > legitimate clients. Should this be the case, increasing the value > of the tcp-clients setting in named.conf to an appropriate value > would be recommended. > > Solution: > > Upgrade to a version of BIND containing a fix for the ineffective > limits. > > - BIND 9.11.6-P1 > - BIND 9.12.4-P1 > - BIND 9.14.1 > > BIND Supported Preview Edition is a special feature preview > branch of BIND provided to eligible ISC support customers. > > - BIND 9.11.5-S6 > - BIND 9.11.6-S1 > > Acknowledgements: > > ISC would like to thank AT&T for helping us to discover this > issue. > > Document revision history: > > 1.0 Advance Notification, 16 January 2019 > 1.1 Recall due to error in original fix, 17 January 2019 > 1.3 Replacement fix delivered to Advance Notification customers, 15 > April 2019 > 1.4 Corrected Versions affected and Solution, 16 April 2019 > 1.5 Added reference to BIND 9.11.6-S1 > 2.0 Public disclosure, 24 April 2019 > > Related documents: > > See our BIND 9 Security Vulnerability Matrix for a complete > listing of security vulnerabilities and versions affected. > > Do you still have questions? Questions regarding this advisory > should go to security-offi...@isc.org. To report a new issue, please > encrypt your message using security-offi...@isc.org's PGP key which > can be found here: > https://www.isc.org/downloads/software-support-policy/openpgp-key > If you are unable to use encrypted email, you may also report new > issues at: https://www.isc.org/community/report-bug/. > > Note: > > ISC patches only currently supported versions. When possible we > indicate EOL versions affected. (For current information on which > versions are actively supported, please see > https://www.isc.org/downloads/.) > > ISC Security Vulnerability Disclosure Policy: > > Details of our current security advisory policy and practice can > be found in the ISC Software Defect and Security Vulnerability > Disclosure Policy. > > Legal Disclaimer: > > Internet Systems Consortium (ISC) is providing this notice on > an "AS IS" basis. No warranty or guarantee of any kind is expressed > in this notice and none should be implied. ISC expressly excludes > and disclaims any warranties regarding this notice or materials > referred to in this notice, including, without limitation, any > implied warranty of merchantability, fitness for a particular > purpose, absence of hidden defects, or of non-infringement. Your > use or reliance on this notice or materials referred to in this > notice is at your own risk. ISC may change this notice at any > time. A stand-alone copy or paraphrase of the text of this > document that omits the document URL is an uncontrolled copy. > Uncontrolled copies may lack important information, be out of > date, or contain factual errors. >
