Sorry for the top post but there is no data yet at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0414. I'll assume that is coming along. I have 9.7.3 ready for relase on Solaris 8 and 9 and 10 however I wanted to refer to the various security info sites.
Do you know if the folks at nist are doing an update ? -- Dennis Clarke dcla...@opensolaris.ca <- Email related to the open source Solaris dcla...@blastwave.org <- Email related to open source for Solaris ------------------ > Internet Systems Consortium Security > Advisory > > Title: Server Lockup Upon IXFR or DDNS Update Combined with High Query > Rate > > (http://www.isc.org/software/bind/advisories/cve-2011-0414) > > CVE-2011-0414 > > VU#559980 > > CVSS: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) > for more information on the Common Vulnerability Scoring System and to > obtain your specific environmental score please visit: > http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 > <http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2> > > Posting date: 2011-02-22 > > Program Impacted: BIND > > Versions affected: 9.7.1-9.7.2-P3 > > Severity: High > > Exploitable: Remotely > > Description and Impact: > > When an authoritative server processes a successful IXFR transfer or a > dynamic update, there is a small window of time during which the > IXFR/update coupled with a query may cause a deadlock to occur. This > deadlock will cause the server to stop processing all requests. A high > query rate and/or a high update rate will increase the probability of > this condition. > > Workaround: > > Depending on your performance requirements, a work-around may be > available. ISC was not able to reproduce this defect in 9.7.2 using -n > 1, which causes named to use only one worker thread, thus avoiding the > deadlock. If your server is powerful enough to serve your data with a > single processor, this option may be fast to implement until you have > time to perform an upgrade. > > Active exploits: None known, but a description of the issue is available > in the release notes for BIND 9.6.3 and 9.7.3. > > Solution: If you run BIND 9.7.1 or 9.7.2, upgrade to BIND 9.7.3. Earlier > versions are not vulnerable. If you run BIND 9.6.x, 9.6-ESV-R?, or > 9.4-ESV-R4, you do not need to upgrade. BIND 9.5 is End of Life and is > not supported by ISC. BIND 9.8 is not vulnerable. > > Credits: Thank you to Neustar for finding the initial defect and JPRS > for further testing and analysis. > > Questions regarding this advisory or ISC's Support services should be > sent to bind9-b...@isc.org <mailto:bind9-b...@isc.org> > For more information on ISC's support, consulting, training, and other > services, visit > http://www.isc.org/community/blog/201102/open-source-software-unsupported-isnt-it _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
