trigger point for new bug
mcnally at isc.org
Wed Nov 16 21:20:17 UTC 2011
On 11/16/11 9:55 AM, Chris Brookes wrote:
> Any info on whether the newly announced bug can be triggered before
> the query ACL is applied on a recursive only server? An authoritative
> only server ought to be safe?
According to our best current understanding of the issue:
+ Authoritative-only nameservers should be safe and only
recursing servers at risk.
+ From the security advisory we have posted on our website:
( http://www.isc.org/software/bind/advisories/cve-2011-4313 )
"An as-yet unidentified network event caused BIND 9 resolvers
to cache an invalid record, subsequent queries for which could
crash the resolvers with an assertion failure."
Your server has to be servicing a query for the invalid cache
data to pull the trigger on this. That comes after the query
ACL is applied.
Although that's somewhat better than "anyone, anywhere, can cause
this to happen to any server at any time", you should not rely on
it, as it requires little imagination to think how a user in your
network might be enticed into an action which caused them to issue
a query for the malformed data.
Mitigation patches have been posted to the ISC web site which can
prevent the server from exiting when the invalid cache data is
encountered. We strongly advise anyone running a recursing BIND 9
server to deploy them.
More information about the bind-users