A denial of service flaw was found in the way the bind-dyndb-ldap, a dynamic LDAP back-end plug-in for BIND providing LDAP database back-end capabilities, performed LDAP connection errors handling / attempted to recover, when an error during a LDAP search happened for a particular DNS query. When the Berkeley Internet Name Domain (BIND) server was patched to support dynamic loading of database back-ends, and the LDAP database back-end was enabled, a remote attacker could use this flaw to cause denial of service (named process hang) via DNS query for zone served by bind-dyndb-ldap.
bind-dyndb-ldap backend upstream commit, which introduced the problem:
Created attachment 579913 [details]
Preliminary version of bind-dyndb-ldap upstream patch to correct this issue
This issue affects the version of the bind-dyndb-ldap package, as shipped with Red Hat Enterprise Linux 6.
This issue affects the versions of the bind-dyndb-ldap package, as shipped with Fedora release of 15 and 16. Please schedule an update.
Created bind-dyndb-ldap tracking bugs for this issue
Affects: fedora-all [bug 815862]
Red Hat would like to thank Ronald van Zantvoort for reporting this issue.
bind-dyndb-ldap-1.1.0-0.11.rc1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
bind-dyndb-ldap-1.1.0-0.11.rc1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2012:0683 https://rhn.redhat.com/errata/RHSA-2012-0683.html
bind-dyndb-ldap-1.1.0-0.11.rc1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.