Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure

in BIND9

High numbers of queries with DNSSEC validation enabled can cause an
assertion failure in named, caused by using a "bad cache" data structure
before it has been initialized.

CVE: CVE-2012-3817
Posting date: 24 July, 2012
This commit is contained in:
Doug Barton 2012-07-24 19:23:23 +00:00
parent 455284fb13
commit e859d6a9bf
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=301487
9 changed files with 75 additions and 32 deletions

View file

@ -12,10 +12,9 @@
# release you can generally build it cleanly from the source - Doug
PORTNAME= bind96
PORTVERSION= 9.6.3.1.ESV.R7.1
PORTVERSION= 9.6.3.1.ESV.R7.2
CATEGORIES= dns net ipv6
MASTER_SITES= ${MASTER_SITE_ISC} \
http://dougbarton.us/Downloads/%SUBDIR%/
MASTER_SITES= ${MASTER_SITE_ISC}
MASTER_SITE_SUBDIR= bind9/${ISCVERSION}
DISTNAME= bind-${ISCVERSION}
DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc
@ -25,7 +24,7 @@ MAINTAINER= dougb@FreeBSD.org
COMMENT= The BIND DNS suite with updated DNSSEC and threads
# ISC releases things like 9.4.0b3, which our versioning doesn't like
ISCVERSION= 9.6-ESV-R7-P1
ISCVERSION= 9.6-ESV-R7-P2
MAKE_JOBS_UNSAFE= yes

View file

@ -1,4 +1,4 @@
SHA256 (bind-9.6-ESV-R7-P1.tar.gz) = 4f3ad2ddc03ca09b72b3f267ba1164ec522b10f066e348f1c24ac2616a8c6d16
SIZE (bind-9.6-ESV-R7-P1.tar.gz) = 6415389
SHA256 (bind-9.6-ESV-R7-P1.tar.gz.asc) = e169e7fa9adf08f0d386cc8fbc41e1334199e5e7fc44c25d8d567cd13b6f1f0f
SIZE (bind-9.6-ESV-R7-P1.tar.gz.asc) = 481
SHA256 (bind-9.6-ESV-R7-P2.tar.gz) = 5dd1f751983f9658d34d1b31e384643554a94f79e1f3ee551d9af72a0550cf93
SIZE (bind-9.6-ESV-R7-P2.tar.gz) = 6415767
SHA256 (bind-9.6-ESV-R7-P2.tar.gz.asc) = 78d5afb1d87d51e5c6dedd92adcfceda02b371282f438f54cb1878d137f7a385
SIZE (bind-9.6-ESV-R7-P2.tar.gz.asc) = 490

View file

@ -6,11 +6,10 @@
#
PORTNAME?= bind97
PORTVERSION= 9.7.6.1
PORTVERSION= 9.7.6.2
PORTREVISION?= 0
CATEGORIES= dns net ipv6
MASTER_SITES= ${MASTER_SITE_ISC} \
http://dougbarton.us/Downloads/%SUBDIR%/
MASTER_SITES= ${MASTER_SITE_ISC}
MASTER_SITE_SUBDIR= bind9/${ISCVERSION}
DISTNAME= bind-${ISCVERSION}
DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc
@ -20,7 +19,7 @@ MAINTAINER= dougb@FreeBSD.org
COMMENT?= The BIND DNS suite with updated DNSSEC and threads
# ISC releases things like 9.4.0b3, which our versioning doesn't like
ISCVERSION= 9.7.6-P1
ISCVERSION= 9.7.6-P2
MAKE_JOBS_UNSAFE= yes

View file

@ -1,4 +1,4 @@
SHA256 (bind-9.7.6-P1.tar.gz) = 33703cc68d94e6a639fe95f24bcbedf9b088123bae9ef357f0668d78dd60e7f6
SIZE (bind-9.7.6-P1.tar.gz) = 6978457
SHA256 (bind-9.7.6-P1.tar.gz.asc) = 02f5d7cbec706fd22a1168c88d19cf318f932f45302b48dbc6aa91c0c96b4098
SIZE (bind-9.7.6-P1.tar.gz.asc) = 481
SHA256 (bind-9.7.6-P2.tar.gz) = f1ff8b778c6569198a88994dfdbfb6fb453648227c28656e65aee357a993b07d
SIZE (bind-9.7.6-P2.tar.gz) = 6979194
SHA256 (bind-9.7.6-P2.tar.gz.asc) = ad5ee83dfe27684c9af4c949bfdb4c4f2b72f37ab833c08b633baeb4ba707007
SIZE (bind-9.7.6-P2.tar.gz.asc) = 490

View file

@ -12,10 +12,9 @@
# release you can generally build it cleanly from the source - Doug
PORTNAME= bind98
PORTVERSION= 9.8.3.1
PORTVERSION= 9.8.3.2
CATEGORIES= dns net ipv6
MASTER_SITES= ${MASTER_SITE_ISC} \
http://dougbarton.us/Downloads/%SUBDIR%/
MASTER_SITES= ${MASTER_SITE_ISC}
MASTER_SITE_SUBDIR= bind9/${ISCVERSION}
DISTNAME= bind-${ISCVERSION}
DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc
@ -25,7 +24,7 @@ MAINTAINER= dougb@FreeBSD.org
COMMENT= The BIND DNS suite with updated DNSSEC and DNS64
# ISC releases things like 9.8.0-P1, which our versioning doesn't like
ISCVERSION= 9.8.3-P1
ISCVERSION= 9.8.3-P2
MAKE_JOBS_UNSAFE= yes

View file

@ -1,4 +1,4 @@
SHA256 (bind-9.8.3-P1.tar.gz) = 850aede364f89e706dbfcbe7d70887bc3c2df468146da5cae8c8ab9ee4621891
SIZE (bind-9.8.3-P1.tar.gz) = 7112920
SHA256 (bind-9.8.3-P1.tar.gz.asc) = df23470f353b4f4eb70e7d34ebc7e94b55b1fc543445230a42c31ab9a49a5dc3
SIZE (bind-9.8.3-P1.tar.gz.asc) = 481
SHA256 (bind-9.8.3-P2.tar.gz) = b95d2e81b54ba972215c7fd52744fbe4711bd3fd6f217845ba95114d82c43588
SIZE (bind-9.8.3-P2.tar.gz) = 7113192
SHA256 (bind-9.8.3-P2.tar.gz.asc) = fe9e34fcd701ab312025665e825f2f840fae7067f6c6f361af4712bb22fcdb80
SIZE (bind-9.8.3-P2.tar.gz.asc) = 490

View file

@ -11,10 +11,9 @@
# release you can generally build it cleanly from the source - Doug
PORTNAME= bind99
PORTVERSION= 9.9.1.1
PORTVERSION= 9.9.1.2
CATEGORIES= dns net ipv6
MASTER_SITES= ${MASTER_SITE_ISC} \
http://dougbarton.us/Downloads/%SUBDIR%/
MASTER_SITES= ${MASTER_SITE_ISC}
MASTER_SITE_SUBDIR= bind9/${ISCVERSION}
DISTNAME= bind-${ISCVERSION}
DISTFILES= ${DISTNAME}${EXTRACT_SUFX} ${DISTNAME}${EXTRACT_SUFX}.asc
@ -24,7 +23,7 @@ MAINTAINER= dougb@FreeBSD.org
COMMENT= The BIND DNS suite with updated DNSSEC and DNS64
# ISC releases things like 9.8.0-P1, which our versioning doesn't like
ISCVERSION= 9.9.1-P1
ISCVERSION= 9.9.1-P2
MAKE_JOBS_UNSAFE= yes

View file

@ -1,4 +1,4 @@
SHA256 (bind-9.9.1-P1.tar.gz) = 2dc5886b3eb6768d312b43dbe1e23a5b67b4f4dcfa1a65b1017e7710bb764627
SIZE (bind-9.9.1-P1.tar.gz) = 7223197
SHA256 (bind-9.9.1-P1.tar.gz.asc) = 9692338123284f8d7b580d4368f59ff845868f3534c6a5efcfb4d6fc8a69ad58
SIZE (bind-9.9.1-P1.tar.gz.asc) = 481
SHA256 (bind-9.9.1-P2.tar.gz) = a46ecf6177b69d6e9a83a15f792d0594adcc8e800086208dd9b84452afb84d0e
SIZE (bind-9.9.1-P2.tar.gz) = 7223896
SHA256 (bind-9.9.1-P2.tar.gz.asc) = 0620c92284e6e00209ce47d3cff14161cc19be978762036cef9ec98e500cd8ed
SIZE (bind-9.9.1-P2.tar.gz.asc) = 490

View file

@ -52,6 +52,53 @@ Note: Please add new entries to the beginning of this file.
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="0bc67930-d5c3-11e1-bef6-0024e81297ae">
<topic>dns/bind9* -- Heavy DNSSEC Validation Load Can Cause a 'Bad Cache' Assertion Failure</topic>
<affects>
<package>
<name>bind99</name>
<range><lt>9.9.1.2</lt></range>
</package>
<package>
<name>bind98</name>
<range><lt>9.8.3.2</lt></range>
</package>
<package>
<name>bind97</name>
<range><lt>9.7.6.2</lt></range>
</package>
<package>
<name>bind96</name>
<range><lt>9.6.3.1.ESV.R7.2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>ISC reports:</p>
<blockquote cite="https://kb.isc.org/article/AA-00729">
<p>High numbers of queries with DNSSEC validation enabled can
cause an assertion failure in named, caused by using a 'bad cache'
data structure before it has been initialized.</p>
<p>BIND 9 stores a cache of query names that are known to be failing due
to misconfigured name servers or a broken chain of trust. Under high query
loads when DNSSEC validation is active, it is possible for a condition
to arise in which data from this cache of failing queries could be used
before it was fully initialized, triggering an assertion failure.</p>
<p>This bug cannot be encountered unless your server is doing DNSSEC
validation.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2012-3817</cvename>
<url>https://kb.isc.org/article/AA-00729</url>
</references>
<dates>
<discovery>2012-07-24</discovery>
<entry>2012-07-24</entry>
</dates>
</vuln>
<vuln vid="748aa89f-d529-11e1-82ab-001fd0af1a4c">
<topic>rubygem-activerecord -- multiple vulnerabilities</topic>
<affects>