Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure

in BIND9 High numbers of queries with DNSSEC validation enabled can cause an assertion failure in named, caused by using a "bad cache" data structure before it has been initialized. CVE: CVE-2012-3817 Posting date: 24 July, 2012
svn path=/head/; revision=301487
2012-07-24 19:23:23 +00:00 · 2012-07-24 19:23:23 +00:00 · e859d6a9bf · 2021-03-31 03:12:20 +00:00
commit e859d6a9bf
parent 455284fb13
9 changed files with 75 additions and 32 deletions
--- a/dns/bind96/Makefile
+++ b/dns/bind96/Makefile
@ -12,10 +12,9 @@
 # release you can generally build it cleanly from the source - Doug

 PORTNAME=	bind96
-PORTVERSION=	9.6.3.1.ESV.R7.1
+PORTVERSION=	9.6.3.1.ESV.R7.2
 CATEGORIES=	dns net ipv6
-MASTER_SITES=	${MASTER_SITE_ISC} \
-		http://dougbarton.us/Downloads/%SUBDIR%/
+MASTER_SITES=	${MASTER_SITE_ISC}
 MASTER_SITE_SUBDIR=	bind9/${ISCVERSION}
 DISTNAME=	bind-${ISCVERSION}
 DISTFILES=	${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc
@ -25,7 +24,7 @@ MAINTAINER=	dougb@FreeBSD.org
 COMMENT=	The BIND DNS suite with updated DNSSEC and threads

 # ISC releases things like 9.4.0b3, which our versioning doesn't like
-ISCVERSION=	9.6-ESV-R7-P1
+ISCVERSION=	9.6-ESV-R7-P2

 MAKE_JOBS_UNSAFE=	yes

--- a/dns/bind96/distinfo
+++ b/dns/bind96/distinfo
@ -1,4 +1,4 @@
-SHA256 (bind-9.6-ESV-R7-P1.tar.gz) = 4f3ad2ddc03ca09b72b3f267ba1164ec522b10f066e348f1c24ac2616a8c6d16
-SIZE (bind-9.6-ESV-R7-P1.tar.gz) = 6415389
-SHA256 (bind-9.6-ESV-R7-P1.tar.gz.asc) = e169e7fa9adf08f0d386cc8fbc41e1334199e5e7fc44c25d8d567cd13b6f1f0f
-SIZE (bind-9.6-ESV-R7-P1.tar.gz.asc) = 481
+SHA256 (bind-9.6-ESV-R7-P2.tar.gz) = 5dd1f751983f9658d34d1b31e384643554a94f79e1f3ee551d9af72a0550cf93
+SIZE (bind-9.6-ESV-R7-P2.tar.gz) = 6415767
+SHA256 (bind-9.6-ESV-R7-P2.tar.gz.asc) = 78d5afb1d87d51e5c6dedd92adcfceda02b371282f438f54cb1878d137f7a385
+SIZE (bind-9.6-ESV-R7-P2.tar.gz.asc) = 490
--- a/dns/bind97/Makefile
+++ b/dns/bind97/Makefile
@ -6,11 +6,10 @@
 #

 PORTNAME?=	bind97
-PORTVERSION=	9.7.6.1
+PORTVERSION=	9.7.6.2
 PORTREVISION?=	0
 CATEGORIES=	dns net ipv6
-MASTER_SITES=	${MASTER_SITE_ISC} \
-		http://dougbarton.us/Downloads/%SUBDIR%/
+MASTER_SITES=	${MASTER_SITE_ISC}
 MASTER_SITE_SUBDIR=	bind9/${ISCVERSION}
 DISTNAME=	bind-${ISCVERSION}
 DISTFILES=	${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc
@ -20,7 +19,7 @@ MAINTAINER=	dougb@FreeBSD.org
 COMMENT?=	The BIND DNS suite with updated DNSSEC and threads

 # ISC releases things like 9.4.0b3, which our versioning doesn't like
-ISCVERSION=	9.7.6-P1
+ISCVERSION=	9.7.6-P2

 MAKE_JOBS_UNSAFE=	yes

--- a/dns/bind97/distinfo
+++ b/dns/bind97/distinfo
@ -1,4 +1,4 @@
-SHA256 (bind-9.7.6-P1.tar.gz) = 33703cc68d94e6a639fe95f24bcbedf9b088123bae9ef357f0668d78dd60e7f6
-SIZE (bind-9.7.6-P1.tar.gz) = 6978457
-SHA256 (bind-9.7.6-P1.tar.gz.asc) = 02f5d7cbec706fd22a1168c88d19cf318f932f45302b48dbc6aa91c0c96b4098
-SIZE (bind-9.7.6-P1.tar.gz.asc) = 481
+SHA256 (bind-9.7.6-P2.tar.gz) = f1ff8b778c6569198a88994dfdbfb6fb453648227c28656e65aee357a993b07d
+SIZE (bind-9.7.6-P2.tar.gz) = 6979194
+SHA256 (bind-9.7.6-P2.tar.gz.asc) = ad5ee83dfe27684c9af4c949bfdb4c4f2b72f37ab833c08b633baeb4ba707007
+SIZE (bind-9.7.6-P2.tar.gz.asc) = 490
--- a/dns/bind98/Makefile
+++ b/dns/bind98/Makefile
@ -12,10 +12,9 @@
 # release you can generally build it cleanly from the source - Doug

 PORTNAME=	bind98
-PORTVERSION=	9.8.3.1
+PORTVERSION=	9.8.3.2
 CATEGORIES=	dns net ipv6
-MASTER_SITES=	${MASTER_SITE_ISC} \
-		http://dougbarton.us/Downloads/%SUBDIR%/
+MASTER_SITES=	${MASTER_SITE_ISC}
 MASTER_SITE_SUBDIR=	bind9/${ISCVERSION}
 DISTNAME=	bind-${ISCVERSION}
 DISTFILES=	${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc
@ -25,7 +24,7 @@ MAINTAINER=	dougb@FreeBSD.org
 COMMENT=	The BIND DNS suite with updated DNSSEC and DNS64

 # ISC releases things like 9.8.0-P1, which our versioning doesn't like
-ISCVERSION=	9.8.3-P1
+ISCVERSION=	9.8.3-P2

 MAKE_JOBS_UNSAFE=	yes

--- a/dns/bind98/distinfo
+++ b/dns/bind98/distinfo
@ -1,4 +1,4 @@
-SHA256 (bind-9.8.3-P1.tar.gz) = 850aede364f89e706dbfcbe7d70887bc3c2df468146da5cae8c8ab9ee4621891
-SIZE (bind-9.8.3-P1.tar.gz) = 7112920
-SHA256 (bind-9.8.3-P1.tar.gz.asc) = df23470f353b4f4eb70e7d34ebc7e94b55b1fc543445230a42c31ab9a49a5dc3
-SIZE (bind-9.8.3-P1.tar.gz.asc) = 481
+SHA256 (bind-9.8.3-P2.tar.gz) = b95d2e81b54ba972215c7fd52744fbe4711bd3fd6f217845ba95114d82c43588
+SIZE (bind-9.8.3-P2.tar.gz) = 7113192
+SHA256 (bind-9.8.3-P2.tar.gz.asc) = fe9e34fcd701ab312025665e825f2f840fae7067f6c6f361af4712bb22fcdb80
+SIZE (bind-9.8.3-P2.tar.gz.asc) = 490
--- a/dns/bind99/Makefile
+++ b/dns/bind99/Makefile
@ -11,10 +11,9 @@
 # release you can generally build it cleanly from the source - Doug

 PORTNAME=	bind99
-PORTVERSION=	9.9.1.1
+PORTVERSION=	9.9.1.2
 CATEGORIES=	dns net ipv6
-MASTER_SITES=	${MASTER_SITE_ISC} \
-		http://dougbarton.us/Downloads/%SUBDIR%/
+MASTER_SITES=	${MASTER_SITE_ISC}
 MASTER_SITE_SUBDIR=	bind9/${ISCVERSION}
 DISTNAME=	bind-${ISCVERSION}
 DISTFILES=	${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc
@ -24,7 +23,7 @@ MAINTAINER=	dougb@FreeBSD.org
 COMMENT=	The BIND DNS suite with updated DNSSEC and DNS64

 # ISC releases things like 9.8.0-P1, which our versioning doesn't like
-ISCVERSION=	9.9.1-P1
+ISCVERSION=	9.9.1-P2

 MAKE_JOBS_UNSAFE=	yes

--- a/dns/bind99/distinfo
+++ b/dns/bind99/distinfo
@ -1,4 +1,4 @@
-SHA256 (bind-9.9.1-P1.tar.gz) = 2dc5886b3eb6768d312b43dbe1e23a5b67b4f4dcfa1a65b1017e7710bb764627
-SIZE (bind-9.9.1-P1.tar.gz) = 7223197
-SHA256 (bind-9.9.1-P1.tar.gz.asc) = 9692338123284f8d7b580d4368f59ff845868f3534c6a5efcfb4d6fc8a69ad58
-SIZE (bind-9.9.1-P1.tar.gz.asc) = 481
+SHA256 (bind-9.9.1-P2.tar.gz) = a46ecf6177b69d6e9a83a15f792d0594adcc8e800086208dd9b84452afb84d0e
+SIZE (bind-9.9.1-P2.tar.gz) = 7223896
+SHA256 (bind-9.9.1-P2.tar.gz.asc) = 0620c92284e6e00209ce47d3cff14161cc19be978762036cef9ec98e500cd8ed
+SIZE (bind-9.9.1-P2.tar.gz.asc) = 490
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@ -52,6 +52,53 @@ Note:  Please add new entries to the beginning of this file.

 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="0bc67930-d5c3-11e1-bef6-0024e81297ae">
+    <topic>dns/bind9* -- Heavy DNSSEC Validation Load Can Cause a 'Bad Cache' Assertion Failure</topic>
+    <affects>
+      <package>
+	<name>bind99</name>
+	<range><lt>9.9.1.2</lt></range>
+      </package>
+      <package>
+	<name>bind98</name>
+	<range><lt>9.8.3.2</lt></range>
+      </package>
+      <package>
+	<name>bind97</name>
+	<range><lt>9.7.6.2</lt></range>
+      </package>
+      <package>
+	<name>bind96</name>
+	<range><lt>9.6.3.1.ESV.R7.2</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>ISC reports:</p>
+	<blockquote cite="https://kb.isc.org/article/AA-00729">
+	  <p>High numbers of queries with DNSSEC validation enabled can
+	     cause an assertion failure in named, caused by using a 'bad cache'
+	     data structure before it has been initialized.</p>
+	  <p>BIND 9 stores a cache of query names that are known to be failing due
+	     to misconfigured name servers or a broken chain of trust. Under high query
+	     loads when DNSSEC validation is active, it is possible for a condition
+	     to arise in which data from this cache of failing queries could be used
+	     before it was fully initialized, triggering an assertion failure.</p>
+	  <p>This bug cannot be encountered unless your server is doing DNSSEC
+	     validation.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+	 <cvename>CVE-2012-3817</cvename>
+	 <url>https://kb.isc.org/article/AA-00729</url>
+    </references>
+    <dates>
+      <discovery>2012-07-24</discovery>
+      <entry>2012-07-24</entry>
+    </dates>
+  </vuln>
+
  <vuln vid="748aa89f-d529-11e1-82ab-001fd0af1a4c">
     <topic>rubygem-activerecord -- multiple vulnerabilities</topic>
     <affects>