servfail-ttl 0; option in the named.conf global section is crashing the named (BIND 9.10.6)
Nagesh Thati
nagesh.thati at tcpwave.com
Mon Mar 5 06:37:53 UTC 2018
Thanks Cathy.
________________________________
From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Cathy Almond <cathya at isc.org>
Sent: Monday, March 5, 2018 11:53:44 AM
To: bind-users at lists.isc.org
Subject: Re: servfail-ttl 0; option in the named.conf global section is crashing the named (BIND 9.10.6)
On 05/03/2018 05:50, Nagesh Thati wrote:
> Hello,
>
> I have added a servfail-ttl 0; parameter in the named.conf file in the
> global section and restarted the named, but named is not coming up and I
> don't see any errors printing in the named.log. When I do a
> named-checkconf on named.conf it is giving error as UNKNOWN OPTION
> servfail-ttl. The version I am using is BIND 9.10.6 stable build. Can
> some one help me on this.
> Thanks.
>
> To fix this bug I have added above parameter CVE-2018-5734: A
> malformed request can trigger an assertion failure in badcache.c
> <https://kb.isc.org/article/AA-01562/0/CVE-2018-5734%3A-A-malformed-request-can-trigger-an-assertion-failure-in-badcache.c.html>
CVE-2018-5734 affects only the editions listed in the security advisory:
9.10.5-S1 to 9.10.5-S4, 9.10.6-S1, and 9.10.6-S2
These are Supported Preview Editions of BIND provided to eligible ISC
Support customers, not the same as the ones available for download from
our website.
Servfail cache was added to BIND Open Source from BIND 9.11 (although it
was backported to some of the -S editions as a Supported Preview
feature) - see:
https://kb.isc.org/article/AA-01310/109/BIND9-Significant-Features-Matrix.html
This is why the servfail-ttl option is unknown in 9.10.6.
So you're not vulnerable to CVE-2018-5734 - although I see why you might
have thought that you are because the -S editions of BIND have a similar
version numbering scheme to the regular editions, but with -S appended
(it's not often that we have a security issue that affects only those,
but it is still necessary to issue an advisory).
Hope this clarifies (and also sets your mind at rest)?
Cathy
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180305/8c829ec6/attachment-0001.html>
More information about the bind-users
mailing list