Bug 842897 (CVE-2012-3817)

Summary: CVE-2012-3817 bind: heavy DNSSEC validation load can cause assertion failure
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: atkac, thozza
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20120724,reported=20120724,source=internet,cvss2=5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P,rhel-3/bind=notaffected,rhel-4/bind=notaffected,rhel-5/bind=affected,rhel-5/bind97=affected,rhel-6/bind=affected,fedora-all/bind=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-31 00:17:10 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 842900, 842909, 842910, 842911, 842912, 842914, 842915    
Bug Blocks: 842904    
Attachments:
Description Flags
patch to correct CVE-2012-3817 vdanen: review+

Description Vincent Danen 2012-07-24 16:57:46 EDT
Upstream has released BIND versions 9.9.1-P2, 9.8.3-P2, 9.7.6-P2, and 9.6-ESV-R7-P2 to correct the following flaw:

BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure.

This bug cannot be encountered unless your server is doing DNSSEC validation.

9.4 and 9.5 are also reported to be affected by this flaw; it's likely that 9.3 is as well.

External Reference:

https://kb.isc.org/article/AA-00729
Comment 1 Vincent Danen 2012-07-24 17:02:30 EDT
Created bind tracking bugs for this issue

Affects: fedora-all [bug 842900]
Comment 2 Vincent Danen 2012-07-24 17:59:39 EDT
Created attachment 600171 [details]
patch to correct CVE-2012-3817

This patch is derived from a diff of 9.6-ESV-R7-P1 and -P2.  There were two other things fixed in -P2, but I'm pretty certain this is all that is required to correct this flaw, but it should probably be double-checked.
Comment 10 Vincent Danen 2012-07-27 10:47:32 EDT
Just to note that bind 9.2.4 (as provided in Red Hat Enterprise Linux 4) is not affected by this issue as it does not contain the vulnerable code.
Comment 11 errata-xmlrpc 2012-07-30 23:50:51 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1122 https://rhn.redhat.com/errata/RHSA-2012-1122.html
Comment 12 errata-xmlrpc 2012-07-31 00:02:23 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:1123 https://rhn.redhat.com/errata/RHSA-2012-1123.html
Comment 13 Fedora Update System 2012-08-09 18:53:04 EDT
bind-9.8.3-3.P2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2012-08-09 19:14:37 EDT
bind-9.9.1-5.P2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.