Confused about CVE-2013-2266
Mark Andrews
marka at isc.org
Thu Apr 4 20:08:17 UTC 2013
It says "or upgrade to the patched release most closely related to your current version of BIND"
then it lists the two versions to choose from.
9.9.2-P2 is fixed as is 9.9.3b2.
Mark
In message <CAHu+3OwiXZjjoFXZ90yq8zS4e0KB8Sx8h6N21PG_ERDyUR-ufA at mail.gmail.com>, Red Cricket writes:
>
> Hi,
>
> I am sorry for being so dense but I am confused about what to do about
> protecting my BIND DNS servers running 9.9.1-P4 from the regex issue.
>
> The link https://kb.isc.org/article/AA-00871 says this ...
>
> Impact:
>
> ... Intentional exploitation of this condition can cause denial of service
> in all authoritative and recursive nameservers running affected versions of
> BIND 9 [all versions of BIND 9.7, BIND 9.8.0 through 9.8.5b1 (inclusive)
> and BIND9.9.0 through BIND 9.9.3b1 (inclusive)].
>
> OK ... I run 9.9.1-P4 so my DNS server could be affected by this issue.
> But later on in the link it says ...
>
> Solution:
>
> Compile BIND 9 without regular expression support as described in the
> "Workarounds" section of this advisory or upgrade to the patched release
> most closely related to your current version of BIND. These can be
> downloaded from http://www.isc.org/downloads/all.
>
> * BIND 9 version 9.9.2-P2
>
> But its 9.9.2-P2 with in BIND9.9.0 through BIND 9.9.3b1? So is 9.9.2-P2
> also affected? If I build from the 9.9.2-P2 tarball do I need to patch the
> config.h as discussed in the "Workarounds" section?
>
> Thanks
> Red
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list