oss-sec mailing list archives
debian bug report on bind9 DoS
From: Vincent Danen <vdanen () redhat com>
Date: Tue, 28 Jul 2009 12:08:25 -0600
There's a bind 9 DoS reported in Debian's BTS [1] that provides a reproducer and some interesting info on a bind9 crash. I don't think it's a huge problem with a well-secured bind9 configuration, but could be quite problematic for bind config's that allow updates without an RNDC key (typical of some dynamic DNS implementations), or on a system that has lax enough permissions that the RNDC key is exposed. We don't ship bind 8 so I cannot say whether or not it only affects bind 9 or earlier versions. Some further information is in our bugzilla from some quick testing I did [2]. This probably requires a CVE name. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538975 [2] https://bugzilla.redhat.com/show_bug.cgi?id=514292 --Vincent Danen / Red Hat Security Response Team
Current thread:
- debian bug report on bind9 DoS Vincent Danen (Jul 28)
- Re: debian bug report on bind9 DoS Thijs Kinkhorst (Jul 28)
- Re: debian bug report on bind9 DoS Vincent Danen (Jul 28)
- Re: debian bug report on bind9 DoS Robert Buchholz (Jul 28)
- Re: debian bug report on bind9 DoS Nico Golde (Jul 29)
- Re: debian bug report on bind9 DoS Solar Designer (Jul 29)
- Re: debian bug report on bind9 DoS Solar Designer (Jul 29)
- Re: debian bug report on bind9 DoS Thijs Kinkhorst (Jul 28)