Bug 842897 - (CVE-2012-3817) CVE-2012-3817 bind: heavy DNSSEC validation load can cause assertion failure
CVE-2012-3817 bind: heavy DNSSEC validation load can cause assertion failure
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20120724,repo...
: Security
Depends On: 842900 842909 842910 842911 842912 842914 842915
Blocks: 842904
  Show dependency treegraph
 
Reported: 2012-07-24 16:57 EDT by Vincent Danen
Modified: 2015-11-24 10:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-31 00:17:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
patch to correct CVE-2012-3817 (841 bytes, patch)
2012-07-24 17:59 EDT, Vincent Danen
vdanen: review+
Details | Diff

  None (edit)
Description Vincent Danen 2012-07-24 16:57:46 EDT
Upstream has released BIND versions 9.9.1-P2, 9.8.3-P2, 9.7.6-P2, and 9.6-ESV-R7-P2 to correct the following flaw:

BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure.

This bug cannot be encountered unless your server is doing DNSSEC validation.

9.4 and 9.5 are also reported to be affected by this flaw; it's likely that 9.3 is as well.

External Reference:

https://kb.isc.org/article/AA-00729
Comment 1 Vincent Danen 2012-07-24 17:02:30 EDT
Created bind tracking bugs for this issue

Affects: fedora-all [bug 842900]
Comment 2 Vincent Danen 2012-07-24 17:59:39 EDT
Created attachment 600171 [details]
patch to correct CVE-2012-3817

This patch is derived from a diff of 9.6-ESV-R7-P1 and -P2.  There were two other things fixed in -P2, but I'm pretty certain this is all that is required to correct this flaw, but it should probably be double-checked.
Comment 10 Vincent Danen 2012-07-27 10:47:32 EDT
Just to note that bind 9.2.4 (as provided in Red Hat Enterprise Linux 4) is not affected by this issue as it does not contain the vulnerable code.
Comment 11 errata-xmlrpc 2012-07-30 23:50:51 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1122 https://rhn.redhat.com/errata/RHSA-2012-1122.html
Comment 12 errata-xmlrpc 2012-07-31 00:02:23 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:1123 https://rhn.redhat.com/errata/RHSA-2012-1123.html
Comment 13 Fedora Update System 2012-08-09 18:53:04 EDT
bind-9.8.3-3.P2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2012-08-09 19:14:37 EDT
bind-9.9.1-5.P2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.