Bug 842897 (CVE-2012-3817) - CVE-2012-3817 bind: heavy DNSSEC validation load can cause assertion failure
Summary: CVE-2012-3817 bind: heavy DNSSEC validation load can cause assertion failure
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-3817
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 842900 842909 842910 842911 842912 842914 842915
Blocks: 842904
TreeView+ depends on / blocked
 
Reported: 2012-07-24 20:57 UTC by Vincent Danen
Modified: 2021-12-10 14:22 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-07-31 04:17:10 UTC


Attachments (Terms of Use)
patch to correct CVE-2012-3817 (841 bytes, patch)
2012-07-24 21:59 UTC, Vincent Danen
vdanen: review+
Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1122 0 normal SHIPPED_LIVE Important: bind97 security update 2012-07-31 07:47:48 UTC
Red Hat Product Errata RHSA-2012:1123 0 normal SHIPPED_LIVE Important: bind security update 2012-07-31 07:58:44 UTC

Description Vincent Danen 2012-07-24 20:57:46 UTC
Upstream has released BIND versions 9.9.1-P2, 9.8.3-P2, 9.7.6-P2, and 9.6-ESV-R7-P2 to correct the following flaw:

BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure.

This bug cannot be encountered unless your server is doing DNSSEC validation.

9.4 and 9.5 are also reported to be affected by this flaw; it's likely that 9.3 is as well.

External Reference:

https://kb.isc.org/article/AA-00729

Comment 1 Vincent Danen 2012-07-24 21:02:30 UTC
Created bind tracking bugs for this issue

Affects: fedora-all [bug 842900]

Comment 2 Vincent Danen 2012-07-24 21:59:39 UTC
Created attachment 600171 [details]
patch to correct CVE-2012-3817

This patch is derived from a diff of 9.6-ESV-R7-P1 and -P2.  There were two other things fixed in -P2, but I'm pretty certain this is all that is required to correct this flaw, but it should probably be double-checked.

Comment 10 Vincent Danen 2012-07-27 14:47:32 UTC
Just to note that bind 9.2.4 (as provided in Red Hat Enterprise Linux 4) is not affected by this issue as it does not contain the vulnerable code.

Comment 11 errata-xmlrpc 2012-07-31 03:50:51 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1122 https://rhn.redhat.com/errata/RHSA-2012-1122.html

Comment 12 errata-xmlrpc 2012-07-31 04:02:23 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:1123 https://rhn.redhat.com/errata/RHSA-2012-1123.html

Comment 13 Fedora Update System 2012-08-09 22:53:04 UTC
bind-9.8.3-3.P2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2012-08-09 23:14:37 UTC
bind-9.9.1-5.P2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.