trigger point for new bug

michoski michoski at cisco.com
Wed Nov 16 22:22:30 UTC 2011


On 11/16/11 1:20 PM, "Michael McNally" <mcnally at isc.org> wrote:
> According to our best current understanding of the issue:
> 
> +  Authoritative-only nameservers should be safe and only
>     recursing servers at risk.
> 
> +  From the security advisory we have posted on our website:
>     ( http://www.isc.org/software/bind/advisories/cve-2011-4313 )
>     "An as-yet unidentified network event caused BIND 9 resolvers
>     to cache an invalid record, subsequent queries for which could
>     crash the resolvers with an assertion failure."
> 
>     Your server has to be servicing a query for the invalid cache
>     data to pull the trigger on this.  That comes after the query
>     ACL is applied.

Thanks for the detailed analysis.

> Mitigation patches have been posted to the ISC web site which can
> prevent the server from exiting when the invalid cache data is
> encountered.  We strongly advise anyone running a recursing BIND 9
> server to deploy them.

Short time ago I grabbed the latest tarball from your download site, and
generated internal packages.  I could have sworn that was 9.8.1-P4 (our
internal packages still have the P4, and Google finds some hits):

PROD:1 mhoskins at adns1:~$ rpm -qa | grep bind
bind98-utils-9.8.1-1.P4
bind98-libs-9.8.1-1.P4
bind98-chroot-9.8.1-1.P4
bind98-9.8.1-1.P4

...which led to mass confusion on how/why "P1" is newer than "P4" -- or if I
somehow entered a magic time warp.  Were "P4" packages posted for some
window of time that were later removed?

No worries, I will move to P1 given today's date on the tarball.  :-)

Thanks!

-- 
By nature, men are nearly alike;
by practice, they get to be wide apart.
        -- Confucius




More information about the bind-users mailing list