trigger point for new bug
michoski
michoski at cisco.com
Wed Nov 16 22:22:30 UTC 2011
On 11/16/11 1:20 PM, "Michael McNally" <mcnally at isc.org> wrote:
> According to our best current understanding of the issue:
>
> + Authoritative-only nameservers should be safe and only
> recursing servers at risk.
>
> + From the security advisory we have posted on our website:
> ( http://www.isc.org/software/bind/advisories/cve-2011-4313 )
> "An as-yet unidentified network event caused BIND 9 resolvers
> to cache an invalid record, subsequent queries for which could
> crash the resolvers with an assertion failure."
>
> Your server has to be servicing a query for the invalid cache
> data to pull the trigger on this. That comes after the query
> ACL is applied.
Thanks for the detailed analysis.
> Mitigation patches have been posted to the ISC web site which can
> prevent the server from exiting when the invalid cache data is
> encountered. We strongly advise anyone running a recursing BIND 9
> server to deploy them.
Short time ago I grabbed the latest tarball from your download site, and
generated internal packages. I could have sworn that was 9.8.1-P4 (our
internal packages still have the P4, and Google finds some hits):
PROD:1 mhoskins at adns1:~$ rpm -qa | grep bind
bind98-utils-9.8.1-1.P4
bind98-libs-9.8.1-1.P4
bind98-chroot-9.8.1-1.P4
bind98-9.8.1-1.P4
...which led to mass confusion on how/why "P1" is newer than "P4" -- or if I
somehow entered a magic time warp. Were "P4" packages posted for some
window of time that were later removed?
No worries, I will move to P1 given today's date on the tarball. :-)
Thanks!
--
By nature, men are nearly alike;
by practice, they get to be wide apart.
-- Confucius
More information about the bind-users
mailing list