Bug 238398 (CVE-2007-2241)

Summary: CVE-2007-2241 bind remote DoS
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: unspecifiedCC: atkac, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-15 15:00:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Extracted patch from 9.4.1 none

Description Mark J. Cox 2007-04-30 08:33:05 UTC 
Internet Systems Consortium Security Advisory.
                   BIND 9: query_addsoa DoS
                            30 April 2007

Versions affected:

        BIND 9.4.0
        BIND 9.5.0a1, 9.5.0a2, 9.5.0a3

        [BIND 9.5.0* have only been released to BIND Forum members]

Severity: High

Description:

        There are 2 query sequences which can cause a recursive nameserver
        to exit.

Workaround:

        Disable recursion if it is not required by your configuration.

                recursion no;

Fix:

        Upgrade to BIND 9.4.1 or BIND 9.5.0a4.

        Questions should be addressed to bind9-bugs.

CVE:    CVE-2007-2241
Comment 2 Mark J. Cox 2007-04-30 08:37:25 UTC 
Created attachment 153776 [details]
Extracted patch from 9.4.1
Comment 3 Josh Bressers 2007-04-30 19:48:45 UTC 
According to ISC, this flaw only affects BIND 9.4.0 and above.
Comment 4 Mark J. Cox 2007-05-01 08:27:49 UTC 
removing embargo, this is public now at        
http://www.isc.org/index.pl?/sw/bind/
Comment 5 Adam Tkac 2007-05-02 14:49:53 UTC 
Only rawhide was affected. bind-*9.4.1-1.fc7 is invulnerable

-A-
Comment 6 Tomas Hoger 2008-01-15 15:00:07 UTC 
Bind packages as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5 were not
affected by this issue.

Fedora packages were updated where needed as explained in comment #5.