diff options
| author | wxs <wxs@FreeBSD.org> | 2009-08-01 22:13:24 +0800 |
|---|---|---|
| committer | wxs <wxs@FreeBSD.org> | 2009-08-01 22:13:24 +0800 |
| commit | 54296a9b3126520f6d3f8bda6c6aa678f38eb154 (patch) | |
| tree | d8b52dc2fa89222c68259c6871a53f93228e902d /security | |
| parent | b1363ef10c5c88f1953d220d9e30a58ebad9c6d6 (diff) | |
| download | freebsd-ports-gnome-54296a9b3126520f6d3f8bda6c6aa678f38eb154.tar.gz freebsd-ports-gnome-54296a9b3126520f6d3f8bda6c6aa678f38eb154.tar.zst freebsd-ports-gnome-54296a9b3126520f6d3f8bda6c6aa678f38eb154.zip | |
- Document BIND DoS in base and ports.
Reviewed by: remko
Approved by: secteam (remko)
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 97b1b0112b82..67af69212999 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,54 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="83725c91-7c7e-11de-9672-00e0815b8da8"> + <topic>BIND -- Dynamic update message remote DoS</topic> + <affects> + <package> + <name>bind9</name> + <range><lt>9.3.6.1.1</lt></range> + </package> + <system> + <name>FreeBSD</name> + <range><ge>6.3</ge><lt>6.3_12</lt></range> + <range><ge>6.4</ge><lt>6.4_6</lt></range> + <range><ge>7.1</ge><lt>7.1_7</lt></range> + <range><ge>7.2</ge><lt>7.2_3</lt></range> + </system> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <h1>Problem Description:</h1> + <p>When named(8) receives a specially crafted dynamic update + message an internal assertion check is triggered which causes + named(8) to exit.</p> + <p>To trigger the problem, the dynamic update message must contains + a record of type "ANY" and at least one resource record set (RRset) + for this fully qualified domain name (FQDN) must exist on the + server.</p> + <h1>Impact:</h1> + <p>An attacker which can send DNS requests to a nameserver can cause + it to exit, thus creating a Denial of Service situation.</p> + <h1>Workaround:</h1> + <p>No generally applicable workaround is available, but some firewalls + may be able to prevent nsupdate DNS packets from reaching the + nameserver.</p> + <p>NOTE WELL: Merely configuring named(8) to ignore dynamic updates + is NOT sufficient to protect it from this vulnerability.</p> + </body> + </description> + <references> + <cvename>CVE-2009-0696</cvename> + <freebsdsa>SA-09:12.bind</freebsdsa> + <url>http://www.kb.cert.org/vuls/id/725188</url> + <url>https://www.isc.org/node/474</url> + </references> + <dates> + <discovery>2009-07-28</discovery> + <entry>2009-07-29</entry> + </dates> + </vuln> + <vuln vid="708c65a5-7c58-11de-a994-0030843d3802"> <topic>mono -- XML signature HMAC truncation spoofing</topic> <affects> |