<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#ffffff" text="#000000">
<p>
Internet Systems Consortium
Security Advisory
</p>
<p>
Title: Server Lockup Upon IXFR or DDNS Update Combined with High
Query Rate<br>
</p>
<p>(<a class="moz-txt-link-freetext" href="http://www.isc.org/software/bind/advisories/cve-2011-0414">http://www.isc.org/software/bind/advisories/cve-2011-0414</a>)<br>
</p>
<p>
CVE-2011-0414
</p>
<p>
VU#559980
</p>
<p>
CVSS: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) <br>
for more information on the Common Vulnerability Scoring System
and to obtain your specific environmental score please visit: <a
href="http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2"
target="_top">http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2</a>
</p>
<p>
Posting date: 2011-02-22
</p>
<p>
Program Impacted: BIND
</p>
<p>
Versions affected: 9.7.1-9.7.2-P3
</p>
<p>
Severity: High
</p>
<p>
Exploitable: Remotely
</p>
<p>
Description and Impact:
</p>
<p>
When an authoritative server processes a successful IXFR transfer
or a dynamic update, there is a small window of time during which
the IXFR/update coupled with a query may cause a deadlock to
occur. This deadlock will cause the server to stop processing all
requests. A high query rate and/or a high update rate will
increase the probability of this condition.
</p>
<p>
Workaround:
</p>
<p>
Depending on your performance requirements, a work-around may be
available. ISC was not able to reproduce this defect in 9.7.2
using -n 1, which causes named to use only one worker thread, thus
avoiding the deadlock. If your server is powerful enough to serve
your data with a single processor, this option may be fast to
implement until you have time to perform an upgrade.
</p>
<p>
Active exploits: None known, but a description of the issue is
available in the release notes for BIND 9.6.3 and 9.7.3.
</p>
<p>
Solution: If you run BIND 9.7.1 or 9.7.2, upgrade to BIND 9.7.3.
Earlier versions are not vulnerable. If you run BIND 9.6.x,
9.6-ESV-R?, or 9.4-ESV-R4, you do not need to upgrade. BIND 9.5 is
End of Life and is not supported by ISC. BIND 9.8 is not
vulnerable.
</p>
<p>
Credits: Thank you to Neustar for finding the initial defect and
JPRS for further testing and analysis.
</p>
<p>
Questions regarding this advisory or ISC's Support services should
be sent to <a href="mailto:bind9-bugs@isc.org">bind9-bugs@isc.org</a><br>
For more information on ISC's support, consulting, training, and
other services, visit <br>
<a class="moz-txt-link-freetext" href="http://www.isc.org/community/blog/201102/open-source-software-unsupported-isnt-it">http://www.isc.org/community/blog/201102/open-source-software-unsupported-isnt-it</a><br>
</p>
</body>
</html>