oss-sec mailing list archives

Re: CVE Request -- Unbound v1.4.3 -- 64 bit platforms specific remote DoS

From: Vincent Danen <vdanen () redhat com>
Date: Tue, 16 Mar 2010 14:13:09 -0600

* [2010-03-16 21:08:27 +0100] Tomas Hoger wrote:

On Tue, 16 Mar 2010 11:56:31 -0600 Vincent Danen <vdanen () redhat com>
wrote:

>  Unbound upstream has released latest, v1.4.3 version:
>  [1] http://www.unbound.net/download.html
>
>  addressing one denial of service issue, specific to 64 bit
>  platforms.
>
>References:
>  [2] http://bugs.gentoo.org/show_bug.cgi?id=309117
>
>Could you allocate CVE id for it?

Please use CVE-2010-0735 for this issue.


This just got CVE-2010-0969 from Mitre:

Unbound before 1.4.3 does not properly align structures on 64-bit
platforms, which allows remote attackers to cause a denial of service
(daemon crash) via unspecified vectors.


Oh ouch.  Yeah, I see it now.  Talk about poor timing.

Please do _not_ use CVE-2010-0735 for this issue, but use CVE-2010-0969
instead.

Thanks, Tomas.

--

Vincent Danen / Red Hat Security Response Team

Current thread:

CVE Request -- Unbound v1.4.3 -- 64 bit platforms specific remote DoS Jan Lieskovsky (Mar 12)
- Re: CVE Request -- Unbound v1.4.3 -- 64 bit platforms specific remote DoS Vincent Danen (Mar 16)
  - Re: CVE Request -- Unbound v1.4.3 -- 64 bit platforms specific remote DoS Tomas Hoger (Mar 16)
    - Re: CVE Request -- Unbound v1.4.3 -- 64 bit platforms specific remote DoS Vincent Danen (Mar 16)
    - Re: CVE Request -- Unbound v1.4.3 -- 64 bit platforms specific remote DoS Steven M. Christey (Mar 18)
    - Re: CVE Request -- Unbound v1.4.3 -- 64 bit platforms specific remote DoS Vincent Danen (Mar 18)