Hi, Does “a successful IXFR transfer” include “AXFR-style IXFR” ?
Thanks, T. Matsumoto From: bind-users-bounces+tmatsumo=yahoo-corp...@lists.isc.org [mailto:bind-users-bounces+tmatsumo=yahoo-corp...@lists.isc.org] On Behalf Of Larissa Shapiro Sent: Wednesday, February 23, 2011 5:56 AM To: bind-users@lists.isc.org Subject: Security Advisory: Server Lockup Upon IXFR or DDNS Update Combined with High Query Rate Internet Systems Consortium Security Advisory Title: Server Lockup Upon IXFR or DDNS Update Combined with High Query Rate (http://www.isc.org/software/bind/advisories/cve-2011-0414) CVE-2011-0414 VU#559980 CVSS: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) for more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 Posting date: 2011-02-22 Program Impacted: BIND Versions affected: 9.7.1-9.7.2-P3 Severity: High Exploitable: Remotely Description and Impact: When an authoritative server processes a successful IXFR transfer or a dynamic update, there is a small window of time during which the IXFR/update coupled with a query may cause a deadlock to occur. This deadlock will cause the server to stop processing all requests. A high query rate and/or a high update rate will increase the probability of this condition. Workaround: Depending on your performance requirements, a work-around may be available. ISC was not able to reproduce this defect in 9.7.2 using -n 1, which causes named to use only one worker thread, thus avoiding the deadlock. If your server is powerful enough to serve your data with a single processor, this option may be fast to implement until you have time to perform an upgrade. Active exploits: None known, but a description of the issue is available in the release notes for BIND 9.6.3 and 9.7.3. Solution: If you run BIND 9.7.1 or 9.7.2, upgrade to BIND 9.7.3. Earlier versions are not vulnerable. If you run BIND 9.6.x, 9.6-ESV-R?, or 9.4-ESV-R4, you do not need to upgrade. BIND 9.5 is End of Life and is not supported by ISC. BIND 9.8 is not vulnerable. Credits: Thank you to Neustar for finding the initial defect and JPRS for further testing and analysis. Questions regarding this advisory or ISC's Support services should be sent to bind9-b...@isc.org<mailto:bind9-b...@isc.org> For more information on ISC's support, consulting, training, and other services, visit http://www.isc.org/community/blog/201102/open-source-software-unsupported-isnt-it
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
