[bug-notifications] [bind 0005000]: CVE-2012-4244: CSWbind unstable should be updated to 9.8.3-P3

Mantis Bug Tracker noreply at opencsw.org
Tue Sep 18 17:24:41 CEST 2012


The following issue has been CLOSED 
====================================================================== 
https://www.opencsw.org/mantis/view.php?id=5000 
====================================================================== 
Reported By:                antint
Assigned To:                
====================================================================== 
Project:                    bind
Issue ID:                   5000
Category:                   upgrade
Reproducibility:            N/A
Severity:                   major
Priority:                   normal
Status:                     closed
Resolution:                 open
Fixed in Version:           
====================================================================== 
Date Submitted:             2012-09-18 16:53 CEST
Last Modified:              2012-09-18 17:24 CEST
====================================================================== 
Summary:                    CVE-2012-4244: CSWbind unstable should be updated to
9.8.3-P3
Description: 
A nameserver can be caused to exit with a REQUIRE exception if it can be
induced to load a specially crafted resource record.

CVE: CVE-2012-4244
Document Version:          2.0
Posting date: 12 September 2012
Program Impacted: BIND
Versions affected: 9.0.x -> 9.6.x, 9.4-ESV->9.4-ESV-R5-P1,
9.6-ESV->9.6-ESV-R7-P2, 9.7.0->9.7.6-P2, 9.8.0->9.8.3-P2, 9.9.0->9.9.1-P2
Severity: Critical
Exploitable: 
Remotely

Description:

If a record with RDATA in excess of 65535 bytes is loaded into a
nameserver, a subsequent query for that record will cause named to exit
with an assertion failure.

Please Note: Versions of BIND 9.4 and 9.5 are also affected, but these
branches are beyond their "end of life" (EOL) and no longer receive testing
or security fixes from ISC. For current information on which versions are
actively supported, please see http://www.isc.org/software/bind/versions.

Impact:

This vulnerability can be exploited remotely against recursive servers by
inducing them to query for records provided by an authoritative server. It
affects authoritative servers if a zone containing this type of resource
record is loaded from file or provided via zone transfer.

CVSS Score:  7.8

CVSS Equation:  (AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Workarounds:

Workarounds are under investigation, but none are known at this time.

Active exploits: 

No known active exploits.

Solution:  Upgrade to the patched version or new release most closely
related to your current version of BIND. The patched versions of BIND can
be downloaded from http://www.isc.org/downloads/all.  The new release
versions will be available within the next week.

BIND 9 version 9.7.7, 9.7.6-P3
BIND 9 version 9.6-ESV-R8, 9.6-ESV-R7-P3
BIND 9 version 9.8.4, 9.8.3-P3
BIND 9 version 9.9.2, 9.9.1-P3
Document Revision History:

1.0 - 4 Sept., 2012  Advance Notification to Phase 1
1.1 - 6 Sept. 2012 Corrected error in Description (65535 bytes)
1.2 - 11 Sept. 2012 Phase 2 & 3 notified
2.0 - 12 Sept. 2012 Phase 4 - Public Released

Related Documents:

See our BIND Security Matrix for a complete listing of Security
Vulnerabilities and versions affected.
If you'd like more information on our Forum or product support please visit
www.isc.org/software/guild or www.isc.org/support.

Do you still have questions?  Questions regarding this advisory should go
to security-officer at isc.org

Note: ISC patches only currently supported versions. When possible we
indicate EOL versions affected.

ISC Security Vulnerability Disclosure Policy:  Details of our current
security advisory policy and practice can be found here:
https://www.isc.org/security-vulnerability-disclosure-policy

This Knowledge Base article https://kb.isc.org/article/AA-00778 is the
complete and official security advisory document.  There is also a summary
article located on our website and linking to here:
https://www.isc.org/software/bind/advisories/cve-2012-4244

Legal Disclaimer: 
Internet Systems Consortium (ISC) is providing this notice on an "AS IS"
basis. No warranty or guarantee of any kind is expressed in this notice and
none should be implied. ISC expressly excludes and disclaims any warranties
regarding this notice or materials referred to in this notice, including,
without limitation, any implied warranty of merchantability, fitness for a
particular purpose, absence of hidden defects, or of non-infringement. Your
use or reliance on this notice or materials referred to in this notice is
at your own risk. ISC may change this notice at any time.  A stand-alone
copy or paraphrase of the text of this document that omits the document URL
is an uncontrolled copy. Uncontrolled copies may lack important
information, be out of date, or contain factual errors.

© 2001-2012 Internet Systems Consortium

====================================================================== 

---------------------------------------------------------------------- 
 (0010123) bonivart (manager) - 2012-09-18 17:24
 https://www.opencsw.org/mantis/view.php?id=5000#c10123 
---------------------------------------------------------------------- 
No problem. Easy bugs are the best. :)



More information about the bug-notifications mailing list