On 02/08/15 00:16, Scott Dowdle wrote:
> Greetings,
> 
> ----- Original Message -----
>> So there's a new DoS vulnerability in bind that will cause the
>> bind process to exit if a certain packet is sent.
>> 
>> It mentions the following: Both recursive and authoritative servers
>> are vulnerable to this defect. Additionally, exposure is not
>> prevented by either ACLs or configuration options limiting or
>> denying service because the exploitable code occurs early in the
>> packet handling, before checks enforcing those boundaries.
>> 
>> All versions of BIND 9 from BIND 9.1.0 (inclusive) through BIND 
>> 9.9.7-P1 and BIND 9.10.2-P2 are vulnerable.
>> 
>> Operators should take steps to upgrade to a patched version as
>> soon as possible.
>> 
>> The ISC has blogged about it here: 
>> https://www.isc.org/blogs/about-cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/
>>
>>
>> Essentially, its a "Whoops, you're all screwed. Upgrade now".
>> 
>> So, any news on an updated version in SL as an urgent priority??
> 
> RH has released updates, right?  So it shouldn't be too long SL has
> an update.  They usually track those pretty closely.  A mitigator,
> since this is only a crash-bind issue... on EL7 with systemd
> anyway... would be to make a drop-in file that restarts bind whenever
> it isn't running.  Thanks systemd.

... which will then exit on the next funky packet, which systemd would
restart, until the next funky packet (until forever).

It doesn't exactly mitigate the problem unless the patch is applied -
just causes a higher system load if you get targeted or hit hard.

-- 
Steven Haigh

Email: [log in to unmask]
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897