Bug 838761 - ndjbdns vulnerable to cve-2012-1191 (ghost domain attack)
Summary: ndjbdns vulnerable to cve-2012-1191 (ghost domain attack)
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: ndjbdns (Show other bugs)
(Show other bugs)
Version: 17
Hardware: All All
unspecified
urgent
Target Milestone: ---
Assignee: pjp
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-07-10 03:04 UTC by Mark Johnson
Modified: 2013-02-01 17:20 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-01 16:47:48 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Mark Johnson 2012-07-10 03:04:39 UTC
Description of problem:  ndjbdns is vulnerable to CVE-2012-1191 (ghost domain attack)


Version-Release number of selected component (if applicable):  all


How reproducible:  https://www.isc.org/files/imce/ghostdomain_camera.pdf


Steps to Reproduce:
1.  Cause the victim resolver to resolve and cache malicious domain before it is removed from the root.
2.  Manipulate the victim resolver to continue to cache delegation data for the malicious domain after the original expiration time.
3.  Profit!
  
Actual results:  Malicious removed domain still resolvable by victim resolver.


Expected results:  Targeted resolver unable / refuses to resolve removed malicious domain.


Additional info:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1191

Comment 1 pjp 2013-01-13 18:17:46 UTC
I have applied the patch to fix this issue. Please have a look at:

 -> https://github.com/pjps/ndjbdns/commit/c90dbbbac5622e2744733f39e037263e63b51266

Thank you.

Comment 2 Fedora Update System 2013-01-20 12:36:32 UTC
ndjbdns-1.05.6-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/ndjbdns-1.05.6-1.fc16

Comment 3 Fedora Update System 2013-01-20 12:36:45 UTC
ndjbdns-1.05.6-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/ndjbdns-1.05.6-1.fc17

Comment 4 Fedora Update System 2013-01-20 12:36:55 UTC
ndjbdns-1.05.6-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/ndjbdns-1.05.6-1.fc18

Comment 5 Fedora Update System 2013-01-23 01:24:33 UTC
Package ndjbdns-1.05.6-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ndjbdns-1.05.6-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-1176/ndjbdns-1.05.6-1.fc18
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2013-02-01 16:47:49 UTC
ndjbdns-1.05.6-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2013-02-01 17:15:41 UTC
ndjbdns-1.05.6-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2013-02-01 17:20:03 UTC
ndjbdns-1.05.6-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.