On 11/16/11 9:55 AM, Chris Brookes wrote:
Any info on whether the newly announced bug can be triggered before the query ACL is applied on a recursive only server? An authoritative only server ought to be safe?
According to our best current understanding of the issue: + Authoritative-only nameservers should be safe and only recursing servers at risk. + From the security advisory we have posted on our website: ( http://www.isc.org/software/bind/advisories/cve-2011-4313 ) "An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure." Your server has to be servicing a query for the invalid cache data to pull the trigger on this. That comes after the query ACL is applied. Although that's somewhat better than "anyone, anywhere, can cause this to happen to any server at any time", you should not rely on it, as it requires little imagination to think how a user in your network might be enticed into an action which caused them to issue a query for the malformed data. Mitigation patches have been posted to the ISC web site which can prevent the server from exiting when the invalid cache data is encountered. We strongly advise anyone running a recursing BIND 9 server to deploy them. Michael McNally ISC Support _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
