-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2011-001 ================================= Topic: BIND DoS due to improper handling of RRSIG records Version: NetBSD-current: affected prior to 20101203 NetBSD 5.1: affected prior to 20110111 NetBSD 5.0: affected prior to 20110111 NetBSD 4.0.*: affected prior to 20110124 NetBSD 4.0: affected prior to 20110124 pkgsrc: net/bind97 package prior to 20101203 Severity: Denial of Service Fixed: NetBSD-current: Dec 2nd, 2010 NetBSD-5-1 branch: Jan 10th, 2011 NetBSD-5-0 branch: Jan 10th, 2011 NetBSD-5 branch: Jan 6th, 2011 NetBSD-4-0 branch: Jan 23rd, 2011 NetBSD-4 branch: Jan 23rd, 2011 pkgsrc net/bind97: bind-9.7.2pl3 corrects this issue pkgsrc net/bind96: bind-9.6.2pl3 corrects this issue Please note that NetBSD releases prior to 4.0 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== Failure to clear existing RRSIG records when a NO DATA is negatively cached could cause subsequent lookups to crash named. This vulnerability has been assigned CVE-2010-3613 and CERT Vulnerability Note VU#706148. Technical Details ================= Adding certain types of signed negative responses to the cache doesn't clear any matching RRSIG records already in the cache. A subsequent lookup of the cached data can cause named to crash (INSIST). This vulnerability affects recursive nameservers irrespective of whether DNSSEC validation is enabled or disabled. Exploitation requires a DNS client authorized to use the nameserver for recursion requesting information about a specially prepared zone not on the same nameserver. Solutions and Workarounds ========================= We suggest fixing this vulnerability by using the current net/bind97 pkgsrc package instead of the in-system bind until the entire system can be updated (eg to the next security/critical release, or a binary snapshot from http://nyftp.netbsd.org/pub/NetBSD-daily/ from past the fix date). Thanks To ========= Thanks to the Internet Systems Consortium for reporting this vulnerability. Thanks to Christos Zoulas for fixing this issue in - -current. Thanks to Petra Zeidler for preparing the pullups to fix this issue on the branches. Revision History ================ 2011-02-01 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2011-001.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2011, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2011-001.txt,v 1.1 2011/02/01 22:03:34 tonnerre Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (NetBSD) iQIcBAEBAgAGBQJNSIjqAAoJEAZJc6xMSnBu3GQQAIiJ4rrAGtIuuJNdLJJMC0LB 3JhOG8c2+926KGQm+hZ90WDaKe8GxMie5GvXFHtX0ChvGtuVBQj18OAtwHjw1Dfh j4erCmZF4KBNiK1IqUeQ1UM3DV3pT0zt/+uY/XzrCy/ppNK4tmY5+levWr/eMLpH +utiNjvxU3/7cmChreypDbO8wkOABypCbELJBpJY1EgBFG+IZdlKVTKDWq0GRAnh x+QQbJVpVAmzp5jwr99jJe66syqqE8za/giaFjwfeI6pSMNTsd9BjyOfu4KdlNQr d4zvjeR/euFynwX4zq+pa6avgBxO+isJJPW/sDMfUN3+W9OctIm5/ghLzerxflo2 W+WdhtaoloBA5dmW/dI6HePZ8ht/Zb7p911BjxBDwKiTJ/Ae9uOjuuox89k8rvo6 wjJ/G9mlRAyAMhJyyEzhx0oaINVPH0rANYsGe5C+3DTB4mGiIsdwemNXC5MEd8gy +Hj9d3GNB5wQlzEm6wxxnSsqcHJlJlr1wiDnxbQzvLi8e73FWjPvlD7vsHeiSxcT wWOmu4HOoI4n0E3JE0JBUJJtHsn2RcNbvkj1Jk8txR7c0eL8TdI6MxRlmVzYaMi3 vpsIPxrzBdfZz9SernAbKPOBOzcoVKrMgo5Za+0Q4bOqw/rCrHzb3/MMtkDFN6Jp JjIAmNPGq2EhJkk3gRmq =WX9T -----END PGP SIGNATURE-----