Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure
in BIND9 High numbers of queries with DNSSEC validation enabled can cause an assertion failure in named, caused by using a "bad cache" data structure before it has been initialized. CVE: CVE-2012-3817 Posting date: 24 July, 2012
This commit is contained in:
parent
455284fb13
commit
e859d6a9bf
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=301487
9 changed files with 75 additions and 32 deletions
|
@ -12,10 +12,9 @@
|
|||
# release you can generally build it cleanly from the source - Doug
|
||||
|
||||
PORTNAME= bind96
|
||||
PORTVERSION= 9.6.3.1.ESV.R7.1
|
||||
PORTVERSION= 9.6.3.1.ESV.R7.2
|
||||
CATEGORIES= dns net ipv6
|
||||
MASTER_SITES= ${MASTER_SITE_ISC} \
|
||||
http://dougbarton.us/Downloads/%SUBDIR%/
|
||||
MASTER_SITES= ${MASTER_SITE_ISC}
|
||||
MASTER_SITE_SUBDIR= bind9/${ISCVERSION}
|
||||
DISTNAME= bind-${ISCVERSION}
|
||||
DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc
|
||||
|
@ -25,7 +24,7 @@ MAINTAINER= dougb@FreeBSD.org
|
|||
COMMENT= The BIND DNS suite with updated DNSSEC and threads
|
||||
|
||||
# ISC releases things like 9.4.0b3, which our versioning doesn't like
|
||||
ISCVERSION= 9.6-ESV-R7-P1
|
||||
ISCVERSION= 9.6-ESV-R7-P2
|
||||
|
||||
MAKE_JOBS_UNSAFE= yes
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
SHA256 (bind-9.6-ESV-R7-P1.tar.gz) = 4f3ad2ddc03ca09b72b3f267ba1164ec522b10f066e348f1c24ac2616a8c6d16
|
||||
SIZE (bind-9.6-ESV-R7-P1.tar.gz) = 6415389
|
||||
SHA256 (bind-9.6-ESV-R7-P1.tar.gz.asc) = e169e7fa9adf08f0d386cc8fbc41e1334199e5e7fc44c25d8d567cd13b6f1f0f
|
||||
SIZE (bind-9.6-ESV-R7-P1.tar.gz.asc) = 481
|
||||
SHA256 (bind-9.6-ESV-R7-P2.tar.gz) = 5dd1f751983f9658d34d1b31e384643554a94f79e1f3ee551d9af72a0550cf93
|
||||
SIZE (bind-9.6-ESV-R7-P2.tar.gz) = 6415767
|
||||
SHA256 (bind-9.6-ESV-R7-P2.tar.gz.asc) = 78d5afb1d87d51e5c6dedd92adcfceda02b371282f438f54cb1878d137f7a385
|
||||
SIZE (bind-9.6-ESV-R7-P2.tar.gz.asc) = 490
|
||||
|
|
|
@ -6,11 +6,10 @@
|
|||
#
|
||||
|
||||
PORTNAME?= bind97
|
||||
PORTVERSION= 9.7.6.1
|
||||
PORTVERSION= 9.7.6.2
|
||||
PORTREVISION?= 0
|
||||
CATEGORIES= dns net ipv6
|
||||
MASTER_SITES= ${MASTER_SITE_ISC} \
|
||||
http://dougbarton.us/Downloads/%SUBDIR%/
|
||||
MASTER_SITES= ${MASTER_SITE_ISC}
|
||||
MASTER_SITE_SUBDIR= bind9/${ISCVERSION}
|
||||
DISTNAME= bind-${ISCVERSION}
|
||||
DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc
|
||||
|
@ -20,7 +19,7 @@ MAINTAINER= dougb@FreeBSD.org
|
|||
COMMENT?= The BIND DNS suite with updated DNSSEC and threads
|
||||
|
||||
# ISC releases things like 9.4.0b3, which our versioning doesn't like
|
||||
ISCVERSION= 9.7.6-P1
|
||||
ISCVERSION= 9.7.6-P2
|
||||
|
||||
MAKE_JOBS_UNSAFE= yes
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
SHA256 (bind-9.7.6-P1.tar.gz) = 33703cc68d94e6a639fe95f24bcbedf9b088123bae9ef357f0668d78dd60e7f6
|
||||
SIZE (bind-9.7.6-P1.tar.gz) = 6978457
|
||||
SHA256 (bind-9.7.6-P1.tar.gz.asc) = 02f5d7cbec706fd22a1168c88d19cf318f932f45302b48dbc6aa91c0c96b4098
|
||||
SIZE (bind-9.7.6-P1.tar.gz.asc) = 481
|
||||
SHA256 (bind-9.7.6-P2.tar.gz) = f1ff8b778c6569198a88994dfdbfb6fb453648227c28656e65aee357a993b07d
|
||||
SIZE (bind-9.7.6-P2.tar.gz) = 6979194
|
||||
SHA256 (bind-9.7.6-P2.tar.gz.asc) = ad5ee83dfe27684c9af4c949bfdb4c4f2b72f37ab833c08b633baeb4ba707007
|
||||
SIZE (bind-9.7.6-P2.tar.gz.asc) = 490
|
||||
|
|
|
@ -12,10 +12,9 @@
|
|||
# release you can generally build it cleanly from the source - Doug
|
||||
|
||||
PORTNAME= bind98
|
||||
PORTVERSION= 9.8.3.1
|
||||
PORTVERSION= 9.8.3.2
|
||||
CATEGORIES= dns net ipv6
|
||||
MASTER_SITES= ${MASTER_SITE_ISC} \
|
||||
http://dougbarton.us/Downloads/%SUBDIR%/
|
||||
MASTER_SITES= ${MASTER_SITE_ISC}
|
||||
MASTER_SITE_SUBDIR= bind9/${ISCVERSION}
|
||||
DISTNAME= bind-${ISCVERSION}
|
||||
DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc
|
||||
|
@ -25,7 +24,7 @@ MAINTAINER= dougb@FreeBSD.org
|
|||
COMMENT= The BIND DNS suite with updated DNSSEC and DNS64
|
||||
|
||||
# ISC releases things like 9.8.0-P1, which our versioning doesn't like
|
||||
ISCVERSION= 9.8.3-P1
|
||||
ISCVERSION= 9.8.3-P2
|
||||
|
||||
MAKE_JOBS_UNSAFE= yes
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
SHA256 (bind-9.8.3-P1.tar.gz) = 850aede364f89e706dbfcbe7d70887bc3c2df468146da5cae8c8ab9ee4621891
|
||||
SIZE (bind-9.8.3-P1.tar.gz) = 7112920
|
||||
SHA256 (bind-9.8.3-P1.tar.gz.asc) = df23470f353b4f4eb70e7d34ebc7e94b55b1fc543445230a42c31ab9a49a5dc3
|
||||
SIZE (bind-9.8.3-P1.tar.gz.asc) = 481
|
||||
SHA256 (bind-9.8.3-P2.tar.gz) = b95d2e81b54ba972215c7fd52744fbe4711bd3fd6f217845ba95114d82c43588
|
||||
SIZE (bind-9.8.3-P2.tar.gz) = 7113192
|
||||
SHA256 (bind-9.8.3-P2.tar.gz.asc) = fe9e34fcd701ab312025665e825f2f840fae7067f6c6f361af4712bb22fcdb80
|
||||
SIZE (bind-9.8.3-P2.tar.gz.asc) = 490
|
||||
|
|
|
@ -11,10 +11,9 @@
|
|||
# release you can generally build it cleanly from the source - Doug
|
||||
|
||||
PORTNAME= bind99
|
||||
PORTVERSION= 9.9.1.1
|
||||
PORTVERSION= 9.9.1.2
|
||||
CATEGORIES= dns net ipv6
|
||||
MASTER_SITES= ${MASTER_SITE_ISC} \
|
||||
http://dougbarton.us/Downloads/%SUBDIR%/
|
||||
MASTER_SITES= ${MASTER_SITE_ISC}
|
||||
MASTER_SITE_SUBDIR= bind9/${ISCVERSION}
|
||||
DISTNAME= bind-${ISCVERSION}
|
||||
DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc
|
||||
|
@ -24,7 +23,7 @@ MAINTAINER= dougb@FreeBSD.org
|
|||
COMMENT= The BIND DNS suite with updated DNSSEC and DNS64
|
||||
|
||||
# ISC releases things like 9.8.0-P1, which our versioning doesn't like
|
||||
ISCVERSION= 9.9.1-P1
|
||||
ISCVERSION= 9.9.1-P2
|
||||
|
||||
MAKE_JOBS_UNSAFE= yes
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
SHA256 (bind-9.9.1-P1.tar.gz) = 2dc5886b3eb6768d312b43dbe1e23a5b67b4f4dcfa1a65b1017e7710bb764627
|
||||
SIZE (bind-9.9.1-P1.tar.gz) = 7223197
|
||||
SHA256 (bind-9.9.1-P1.tar.gz.asc) = 9692338123284f8d7b580d4368f59ff845868f3534c6a5efcfb4d6fc8a69ad58
|
||||
SIZE (bind-9.9.1-P1.tar.gz.asc) = 481
|
||||
SHA256 (bind-9.9.1-P2.tar.gz) = a46ecf6177b69d6e9a83a15f792d0594adcc8e800086208dd9b84452afb84d0e
|
||||
SIZE (bind-9.9.1-P2.tar.gz) = 7223896
|
||||
SHA256 (bind-9.9.1-P2.tar.gz.asc) = 0620c92284e6e00209ce47d3cff14161cc19be978762036cef9ec98e500cd8ed
|
||||
SIZE (bind-9.9.1-P2.tar.gz.asc) = 490
|
||||
|
|
|
@ -52,6 +52,53 @@ Note: Please add new entries to the beginning of this file.
|
|||
|
||||
-->
|
||||
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
|
||||
<vuln vid="0bc67930-d5c3-11e1-bef6-0024e81297ae">
|
||||
<topic>dns/bind9* -- Heavy DNSSEC Validation Load Can Cause a 'Bad Cache' Assertion Failure</topic>
|
||||
<affects>
|
||||
<package>
|
||||
<name>bind99</name>
|
||||
<range><lt>9.9.1.2</lt></range>
|
||||
</package>
|
||||
<package>
|
||||
<name>bind98</name>
|
||||
<range><lt>9.8.3.2</lt></range>
|
||||
</package>
|
||||
<package>
|
||||
<name>bind97</name>
|
||||
<range><lt>9.7.6.2</lt></range>
|
||||
</package>
|
||||
<package>
|
||||
<name>bind96</name>
|
||||
<range><lt>9.6.3.1.ESV.R7.2</lt></range>
|
||||
</package>
|
||||
</affects>
|
||||
<description>
|
||||
<body xmlns="http://www.w3.org/1999/xhtml">
|
||||
<p>ISC reports:</p>
|
||||
<blockquote cite="https://kb.isc.org/article/AA-00729">
|
||||
<p>High numbers of queries with DNSSEC validation enabled can
|
||||
cause an assertion failure in named, caused by using a 'bad cache'
|
||||
data structure before it has been initialized.</p>
|
||||
<p>BIND 9 stores a cache of query names that are known to be failing due
|
||||
to misconfigured name servers or a broken chain of trust. Under high query
|
||||
loads when DNSSEC validation is active, it is possible for a condition
|
||||
to arise in which data from this cache of failing queries could be used
|
||||
before it was fully initialized, triggering an assertion failure.</p>
|
||||
<p>This bug cannot be encountered unless your server is doing DNSSEC
|
||||
validation.</p>
|
||||
</blockquote>
|
||||
</body>
|
||||
</description>
|
||||
<references>
|
||||
<cvename>CVE-2012-3817</cvename>
|
||||
<url>https://kb.isc.org/article/AA-00729</url>
|
||||
</references>
|
||||
<dates>
|
||||
<discovery>2012-07-24</discovery>
|
||||
<entry>2012-07-24</entry>
|
||||
</dates>
|
||||
</vuln>
|
||||
|
||||
<vuln vid="748aa89f-d529-11e1-82ab-001fd0af1a4c">
|
||||
<topic>rubygem-activerecord -- multiple vulnerabilities</topic>
|
||||
<affects>
|
||||
|
|
Loading…
Reference in a new issue