Bug 248850 (CVE-2007-2925)
| Summary: | CVE-2007-2925 bind allow-query-cache/allow-recursion default ACL issue | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mark J. Cox <mjc> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | atkac, kreilly |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-06-05 14:35:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I've found some additional problem around this
2206. [security] "allow-query-cache" and "allow-recursion" now
cross inherit from each other.
If allow-query-cache is not set in named.conf then
allow-recursion is used if set, otherwise allow-query
is used if set, otherwise the default (localnets;
localhost;) is used.
If allow-recursion is not set in named.conf then
allow-query-cache is used if set, otherwise allow-query
is used if set, otherwise the default (localnets;
localhost;) is used.
Only F7 and rawhide are affected. allow-query-cache option doesn't exist in
RHELs and <= Fedora 6 (problem with relation between allow-recursion and
allow-query-cache doesn't exist).
Second problem is in default allow-recursion acl setup. In >= 9.4 are default
acls { localhost; localnet; }; and these wasn't set correctly. In bind < 9.4 are
default acls { any; }; (when any is specified it means NULL pointer in BIND's
code - no setup is needed)
Adam
Issue is public now, opening bug. This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Fedora bind versions already updated to fixed upstream version. |
Internet Systems Consortium Security Advisory. BIND 9: allow-query-cache/allow-recursion default acls not set. 17 July 2007 Versions affected: BIND 9.4.0, 9.4.1 BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5 Severity: Medium. Description: The default access control lists (acls) are not being correctly set. If not set anyone can make recursive queries and/or query the cache contents. Workaround: Explicitly set allow-query-cache and allow-recursion acl's if not already set to "{ localnets; localhost; };". If recursion is supposed to be allowed to local clients (default). options { recursion yes; // default allow-recursion { localnets; localhost; }; allow-query-cache { localnets; localhost; }; ... }; If recursion is disallowed. options { recursion no; allow-query-cache { localnets; localhost; }; ... }; Fix: Upgrade to BIND BIND 9.4.1-P1, BIND 9.4.2 or BIND 9.5.0a6. Questions should be addressed to bind9-bugs. CVE: CVE-2007-2925 (CERT-US VU#187297) ** embargo set to 23 July 2007 **