494543 – (CVE-2006-4096) CVE-2006-4096 INSIST failure in ISC BIND recursive query

Bug 494543 (CVE-2006-4096) - CVE-2006-4096 INSIST failure in ISC BIND recursive query

Summary: CVE-2006-4096 INSIST failure in ISC BIND recursive query

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2006-4096
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://web.nvd.nist.gov/view/vuln/det...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-04-07 12:28 UTC by Josh Bressers
Modified:	2021-11-12 19:33 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-04-08 22:01:06 UTC
Embargoed:

Attachments	(Terms of Use)
Patch for this issue (2.00 KB, patch) 2009-04-07 12:32 UTC, Adam Tkac	no flags	Details \| Diff
View All

Description Josh Bressers 2009-04-07 12:28:06 UTC

BIND before 9.2.6-P1 and 9.3.x before 9.3.2-P1 allows remote attackers to
cause a denial of service (crash) via a flood of recursive queries, which
cause an INSIST failure when the response is received after the recursion
queue is empty.

Comment 1 Adam Tkac 2009-04-07 12:32:01 UTC

Created attachment 338495 [details]
Patch for this issue

Comment 3 Josh Bressers 2009-04-07 16:51:10 UTC

This is fixed in Red Hat Enterprise Linux 3 and 4 by the patch
bind-9.2.4-bz173961.patch

It was fixed in the errata RHBA-2006:0287 and RHBA-2006:0288.

They are not marked as RHSA errata as the patch went in before it was recognized as being a security relevant fix. The errata do however note the CVE id in question.

Comment 4 Josh Bressers 2009-04-07 16:55:47 UTC

The technical details about fix this flaw can found in bug 173961

Specifically comment #21

Note You need to log in before you can comment on or make changes to this bug.