|Summary:||CVE-2011-0414 bind: named lockup with IXFR or DDNS update and a high query rate|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED NOTABUG||QA Contact:|
|Version:||unspecified||CC:||atkac, bressers, wnefal+redhatbugzilla|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2011-07-13 10:06:30 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||679560|
Description Vincent Danen 2011-02-22 18:09:27 UTC
It was reported  that when the BIND authoritative name server daemon (named) processed a successful IXFR transfer or a dynamic update, there was a small period of time during which the IXFR/update, along with a query, could cause the server to stop processing all requests. A higher update and/or query rate would increase the probability of the deadlock occurring. This flaw only affects BIND 9.7.1 and 9.7.2; upstream has released 9.7.3 to correct this flaw. Upstream also documents that using the "-n1" option to cause named to use only one worker thread would mitigate this problem.  https://www.isc.org/software/bind/advisories/cve-2011-0414
Comment 1 Vincent Danen 2011-02-22 20:46:43 UTC
Upstream verified to me that this was introduced in 9.7.1, so bind in RHEL6 is not vulnerable. The fix is also noted as: Corrected a defect where a combination of dynamic updates and zone transfers incorrectly locked the in-memory zone database, causing named to freeze. [RT #22614] in http://ftp.isc.org/isc/bind9/9.7.3/RELEASE-NOTES-BIND-9.7.3.html 9.7.3 is currently in Fedora 13 and 14 testing repositories.
Comment 2 Vincent Danen 2011-02-22 20:47:33 UTC
Statement: Not vulnerable. This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 4, 5, or 6.