Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-3817 bind: heavy DNSSEC validation load can cause assertion failure|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-07-31 00:17:10 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||842900, 842909, 842910, 842911, 842912, 842914, 842915|
Description Vincent Danen 2012-07-24 16:57:46 EDT
Upstream has released BIND versions 9.9.1-P2, 9.8.3-P2, 9.7.6-P2, and 9.6-ESV-R7-P2 to correct the following flaw: BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure. This bug cannot be encountered unless your server is doing DNSSEC validation. 9.4 and 9.5 are also reported to be affected by this flaw; it's likely that 9.3 is as well. External Reference: https://kb.isc.org/article/AA-00729
Comment 1 Vincent Danen 2012-07-24 17:02:30 EDT
Created bind tracking bugs for this issue Affects: fedora-all [bug 842900]
Comment 2 Vincent Danen 2012-07-24 17:59:39 EDT
Created attachment 600171 [details] patch to correct CVE-2012-3817 This patch is derived from a diff of 9.6-ESV-R7-P1 and -P2. There were two other things fixed in -P2, but I'm pretty certain this is all that is required to correct this flaw, but it should probably be double-checked.
Comment 10 Vincent Danen 2012-07-27 10:47:32 EDT
Just to note that bind 9.2.4 (as provided in Red Hat Enterprise Linux 4) is not affected by this issue as it does not contain the vulnerable code.
Comment 11 errata-xmlrpc 2012-07-30 23:50:51 EDT
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1122 https://rhn.redhat.com/errata/RHSA-2012-1122.html
Comment 12 errata-xmlrpc 2012-07-31 00:02:23 EDT
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:1123 https://rhn.redhat.com/errata/RHSA-2012-1123.html
Comment 13 Fedora Update System 2012-08-09 18:53:04 EDT
bind-9.8.3-3.P2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2012-08-09 19:14:37 EDT
bind-9.9.1-5.P2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.