trigger point for new bug
gaurav.kansal at nic.in
Thu Nov 17 11:58:53 UTC 2011
Can you please explain What is the meaning of "INVALID RECORD"?????
Thanks and Regards,
From: bind-users-bounces+gaurav.kansal=nic.in at lists.isc.org
[mailto:bind-users-bounces+gaurav.kansal=nic.in at lists.isc.org] On Behalf Of
Sent: Thursday, 17 November, 2011 2:50 AM
To: bind-users at lists.isc.org
Subject: Re: trigger point for new bug
On 11/16/11 9:55 AM, Chris Brookes wrote:
> Any info on whether the newly announced bug can be triggered before
> the query ACL is applied on a recursive only server? An authoritative
> only server ought to be safe?
According to our best current understanding of the issue:
+ Authoritative-only nameservers should be safe and only
recursing servers at risk.
+ From the security advisory we have posted on our website:
( http://www.isc.org/software/bind/advisories/cve-2011-4313 )
"An as-yet unidentified network event caused BIND 9 resolvers
to cache an invalid record, subsequent queries for which could
crash the resolvers with an assertion failure."
Your server has to be servicing a query for the invalid cache
data to pull the trigger on this. That comes after the query
ACL is applied.
Although that's somewhat better than "anyone, anywhere, can cause this to
happen to any server at any time", you should not rely on it, as it requires
little imagination to think how a user in your network might be enticed into
an action which caused them to issue a query for the malformed data.
Mitigation patches have been posted to the ISC web site which can prevent
the server from exiting when the invalid cache data is encountered. We
strongly advise anyone running a recursing BIND 9 server to deploy them.
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
More information about the bind-users