Bug 494543 (CVE-2006-4096)

Summary: CVE-2006-4096 INSIST failure in ISC BIND recursive query
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: atkac, dwalsh, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4096
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-08 22:01:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch for this issue none

Description Josh Bressers 2009-04-07 12:28:06 UTC 
BIND before 9.2.6-P1 and 9.3.x before 9.3.2-P1 allows remote attackers to
cause a denial of service (crash) via a flood of recursive queries, which
cause an INSIST failure when the response is received after the recursion
queue is empty.
Comment 1 Adam Tkac 2009-04-07 12:32:01 UTC 
Created attachment 338495 [details]
Patch for this issue
Comment 3 Josh Bressers 2009-04-07 16:51:10 UTC 
This is fixed in Red Hat Enterprise Linux 3 and 4 by the patch
bind-9.2.4-bz173961.patch

It was fixed in the errata RHBA-2006:0287 and RHBA-2006:0288.

They are not marked as RHSA errata as the patch went in before it was recognized as being a security relevant fix. The errata do however note the CVE id in question.
Comment 4 Josh Bressers 2009-04-07 16:55:47 UTC 
The technical details about fix this flaw can found in bug 173961

Specifically comment #21