ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named

Jack Tavares j.tavares at F5.com
Tue Mar 26 18:12:01 UTC 2013


Thank you.

--
Jack Tavares

________________________________________
From: ISC Support Staff [support-staff at isc.org]
Sent: Tuesday, March 26, 2013 11:08
To: Jack Tavares
Cc: bind-users at isc.org
Subject: Re: ISC Security Advisory: CVE-2013-2266: A Maliciously Crafted Regular Expression Can Cause Memory Exhaustion in named

On 3/26/13 10:05 AM, Jack Tavares wrote:
>
> I have a request for clarification:
>
> The workaround states to rebuild BIND with regexp support disabled.
>
> And I see new versions of BIND have been released.
> Are those versions just a rebuild with regexp support disabled?
> Or are they a more comprehensive fix?

This question is addressed in the "CVE-2013-2266: FAQ and Supplemental
Information" Knowledge Base article, which I encourage everyone to read.
https://kb.isc.org/article/AA-00879

Please see specifically the section which begins:

   "What is the difference between deploying the patched versions
   of BIND versus implementing the documented workaround?"

Thanks,

Michael McNally
ISC Support



More information about the bind-users mailing list