ID

VAR-201303-0312

CVE

CVE-2013-2266

TITLE

ISC BIND 9 'libdns' Remote Denial of Service Vulnerability

DESCRIPTION

libdns in ISC BIND 9.7.x and 9.8.x before 9.8.4-P2, 9.8.5 before 9.8.5b2, 9.9.x before 9.9.2-P2, and 9.9.3 before 9.9.3b2 on UNIX platforms allows remote attackers to cause a denial of service (memory consumption) via a crafted regular expression, as demonstrated by a memory-exhaustion attack against a machine running a named process. ISC BIND is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. The following are affected: ISC BIND 9.7.x ISC BIND 9.8.0 through versions 9.8.5-b1 ISC BIND 9.9.0 through versions 9.9.3-b1. For the stable distribution (squeeze), this problem has been fixed in version 1:9.7.3.dfsg-1~squeeze10. For the testing distribution (wheezy), this problem has been fixed in version 1:9.8.4.dfsg.P1-6+nmu1. For the unstable distribution (sid), this problem has been fixed in version 1:9.8.4.dfsg.P1-6+nmu1. We recommend that you upgrade your bind9 packages. Release Date: 2013-04-30 Last Updated: 2013-06-14 Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running BIND. This vulnerability could be exploited remotely to create a Denial of Service (DoS). References: CVE-2013-2266 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.31 running BIND 9.7.3 prior to C.9.7.3.2.0 BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2013-2266 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided an updated version of the BIND service to resolve this vulnerability. This early release depot will be replaced by the June 2013 Web Upgrade, which is functionally identical. This update is available from the following location https://h20392.www2.hp.c om/portal/swdepot/displayProductInfo.do?productNumber=BIND BIND 9.7.3 for HP-UX Release Depot Name B.11.31 (PA and IA) bind973.depot MANUAL ACTIONS: Yes - Update Download and install the software update PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS For BIND 9.7.3 HP-UX B.11.31 ================== NameService.BIND-AUX NameService.BIND-RUN action: install revision C.9.7.3.2.0 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 30 April 2013 Initial release Version:2 (rev.2) - 14 June 2013 Revised location of update. Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: bind security and bug fix update Advisory ID: RHSA-2013:0689-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0689.html Issue date: 2013-03-28 CVE Names: CVE-2013-2266 ===================================================================== 1. Summary: Updated bind packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the libdns library. A remote attacker could use this flaw to send a specially-crafted DNS query to named that, when processed, would cause named to use an excessive amount of memory, or possibly crash. (CVE-2013-2266) Note: This update disables the syntax checking of NAPTR (Naming Authority Pointer) resource records. This update also fixes the following bug: * Previously, rebuilding the bind-dyndb-ldap source RPM failed with a "/usr/include/dns/view.h:76:21: error: dns/rrl.h: No such file or directory" error. (BZ#928439) All bind users are advised to upgrade to these updated packages, which contain patches to correct these issues. After installing the update, the BIND daemon (named) will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 928027 - CVE-2013-2266 bind: libdns regular expressions excessive resource consumption DoS 928439 - building bind-dyndb-ldap error: dns/rrl.h: No such file or directory 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/bind-9.8.2-0.17.rc1.el6_4.4.src.rpm i386: bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-libs-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-utils-9.8.2-0.17.rc1.el6_4.4.i686.rpm x86_64: bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-libs-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-libs-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-utils-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/bind-9.8.2-0.17.rc1.el6_4.4.src.rpm i386: bind-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-chroot-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-devel-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-sdb-9.8.2-0.17.rc1.el6_4.4.i686.rpm x86_64: bind-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-chroot-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-devel-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-devel-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-sdb-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/bind-9.8.2-0.17.rc1.el6_4.4.src.rpm x86_64: bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-libs-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-libs-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-utils-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/bind-9.8.2-0.17.rc1.el6_4.4.src.rpm x86_64: bind-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-chroot-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-devel-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-devel-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-sdb-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/bind-9.8.2-0.17.rc1.el6_4.4.src.rpm i386: bind-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-chroot-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-libs-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-utils-9.8.2-0.17.rc1.el6_4.4.i686.rpm ppc64: bind-9.8.2-0.17.rc1.el6_4.4.ppc64.rpm bind-chroot-9.8.2-0.17.rc1.el6_4.4.ppc64.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.ppc.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.ppc64.rpm bind-libs-9.8.2-0.17.rc1.el6_4.4.ppc.rpm bind-libs-9.8.2-0.17.rc1.el6_4.4.ppc64.rpm bind-utils-9.8.2-0.17.rc1.el6_4.4.ppc64.rpm s390x: bind-9.8.2-0.17.rc1.el6_4.4.s390x.rpm bind-chroot-9.8.2-0.17.rc1.el6_4.4.s390x.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.s390.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.s390x.rpm bind-libs-9.8.2-0.17.rc1.el6_4.4.s390.rpm bind-libs-9.8.2-0.17.rc1.el6_4.4.s390x.rpm bind-utils-9.8.2-0.17.rc1.el6_4.4.s390x.rpm x86_64: bind-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-chroot-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-libs-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-libs-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-utils-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/bind-9.8.2-0.17.rc1.el6_4.4.src.rpm i386: bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-devel-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-sdb-9.8.2-0.17.rc1.el6_4.4.i686.rpm ppc64: bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.ppc.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.ppc64.rpm bind-devel-9.8.2-0.17.rc1.el6_4.4.ppc.rpm bind-devel-9.8.2-0.17.rc1.el6_4.4.ppc64.rpm bind-sdb-9.8.2-0.17.rc1.el6_4.4.ppc64.rpm s390x: bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.s390.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.s390x.rpm bind-devel-9.8.2-0.17.rc1.el6_4.4.s390.rpm bind-devel-9.8.2-0.17.rc1.el6_4.4.s390x.rpm bind-sdb-9.8.2-0.17.rc1.el6_4.4.s390x.rpm x86_64: bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-devel-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-devel-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-sdb-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/bind-9.8.2-0.17.rc1.el6_4.4.src.rpm i386: bind-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-chroot-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-libs-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-utils-9.8.2-0.17.rc1.el6_4.4.i686.rpm x86_64: bind-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-chroot-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-libs-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-libs-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-utils-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/bind-9.8.2-0.17.rc1.el6_4.4.src.rpm i386: bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-devel-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-sdb-9.8.2-0.17.rc1.el6_4.4.i686.rpm x86_64: bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-debuginfo-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-devel-9.8.2-0.17.rc1.el6_4.4.i686.rpm bind-devel-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm bind-sdb-9.8.2-0.17.rc1.el6_4.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-2266.html https://access.redhat.com/security/updates/classification/#important http://www.isc.org/software/bind/advisories/cve-2013-2266 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRVMLdXlSAg2UNWIIRAsZfAKCyin6VjKh+MJwZjqJ0tn2+ayZTygCdEwWJ SMtY22xlYL6dxJ9RgKwa9Q0= =/8r6 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: f36857a433daea597c4ec28038905d17 mes5/i586/bind-9.7.6-0.0.P4.0.2mdvmes5.2.i586.rpm 46c527cc9b22e9177e6fedf60c65925a mes5/i586/bind-devel-9.7.6-0.0.P4.0.2mdvmes5.2.i586.rpm a0bbe5405898b2a2ce7f513788a6a229 mes5/i586/bind-doc-9.7.6-0.0.P4.0.2mdvmes5.2.i586.rpm b321cb2a467724660df48cf92b3945f0 mes5/i586/bind-utils-9.7.6-0.0.P4.0.2mdvmes5.2.i586.rpm 890d003d00da0bfaf671313e85f46d1e mes5/SRPMS/bind-9.7.6-0.0.P4.0.2mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 08de2e6cfa579e00e253c37bea966307 mes5/x86_64/bind-9.7.6-0.0.P4.0.2mdvmes5.2.x86_64.rpm ae6189e64132f148a639360d66368fcb mes5/x86_64/bind-devel-9.7.6-0.0.P4.0.2mdvmes5.2.x86_64.rpm 4ee72b2b8917de78790060bb73018af9 mes5/x86_64/bind-doc-9.7.6-0.0.P4.0.2mdvmes5.2.x86_64.rpm c1dd1ebdd63f4cc9fbb83ca0b8a435e0 mes5/x86_64/bind-utils-9.7.6-0.0.P4.0.2mdvmes5.2.x86_64.rpm 890d003d00da0bfaf671313e85f46d1e mes5/SRPMS/bind-9.7.6-0.0.P4.0.2mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 71ea4fee0536640c4f391b8ee8b39658 mbs1/x86_64/bind-9.9.2.P2-1.mbs1.x86_64.rpm 181b8e5ddaccb10365b4c03457f7c77b mbs1/x86_64/bind-devel-9.9.2.P2-1.mbs1.x86_64.rpm a7b06470573069c1a0ad207fa5ea401e mbs1/x86_64/bind-doc-9.9.2.P2-1.mbs1.noarch.rpm 88d2444424375c4ca05a860dfdc4e695 mbs1/x86_64/bind-sdb-9.9.2.P2-1.mbs1.x86_64.rpm fd09642c9a8350f4f633e58f33d39a12 mbs1/x86_64/bind-utils-9.9.2.P2-1.mbs1.x86_64.rpm 3c703696946399024c7b107e1d28e031 mbs1/SRPMS/bind-9.9.2.P2-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. Here are the details from the Slackware 14.0 ChangeLog: +--------------------------+ patches/packages/bind-9.9.2_P2-i486-1_slack14.0.txz: Upgraded. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266 https://kb.isc.org/article/AA-00871 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 12.1: ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/bind-9.8.4_P2-i486-1_slack12.1.tgz Updated package for Slackware 12.2: ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/bind-9.8.4_P2-i486-1_slack12.2.tgz Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/bind-9.8.4_P2-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/bind-9.8.4_P2-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/bind-9.8.4_P2-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/bind-9.8.4_P2-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bind-9.8.4_P2-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/bind-9.8.4_P2-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/bind-9.9.2_P2-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/bind-9.9.2_P2-x86_64-1_slack14.0.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/bind-9.9.2_P2-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/bind-9.9.2_P2-x86_64-1.txz MD5 signatures: +-------------+ Slackware 12.1 package: bcf111a9a9526482ae8dea688755c889 bind-9.8.4_P2-i486-1_slack12.1.tgz Slackware 12.2 package: ac7dd818bacdb8ba270ec7d21190a581 bind-9.8.4_P2-i486-1_slack12.2.tgz Slackware 13.0 package: 5d4bb658b7b8fdc01ae74275e1ff0b20 bind-9.8.4_P2-i486-1_slack13.0.txz Slackware x86_64 13.0 package: d7a20fdcbc112a724ee33279a0e1aacb bind-9.8.4_P2-x86_64-1_slack13.0.txz Slackware 13.1 package: 0ecbcf1b1ff849b906770266ee6b2264 bind-9.8.4_P2-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 0bd611fc2026a964b499a954d9abfb05 bind-9.8.4_P2-x86_64-1_slack13.1.txz Slackware 13.37 package: f1cf2f258f710c63c7f6456dd1487a3e bind-9.8.4_P2-i486-1_slack13.37.txz Slackware x86_64 13.37 package: cbeb80303f92f9d745600be0cac3b820 bind-9.8.4_P2-x86_64-1_slack13.37.txz Slackware 14.0 package: 519d4a66bc1df3b5508f8ed6f2f5abc1 bind-9.9.2_P2-i486-1_slack14.0.txz Slackware x86_64 14.0 package: dd2320d76994dd0bb085e2cf6a86a86f bind-9.9.2_P2-x86_64-1_slack14.0.txz Slackware -current package: 0d7ff93b20cc99cff691e40c8847ab58 n/bind-9.9.2_P2-i486-1.txz Slackware x86_64 -current package: 42b6641fc5c041c51c65551f256fb847 n/bind-9.9.2_P2-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg bind-9.9.2_P2-i486-1_slack14.0.txz Then, restart the name server: # /etc/rc.d/rc.bind restart +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. Affects: FreeBSD 8.4-BETA1 and FreeBSD 9.x Corrected: 2013-03-28 05:35:46 UTC (stable/8, 8.4-BETA1) 2013-03-28 05:39:45 UTC (stable/9, 9.1-STABLE) 2013-04-02 17:34:42 UTC (releng/9.0, 9.0-RELEASE-p7) 2013-04-02 17:34:42 UTC (releng/9.1, 9.1-RELEASE-p2) CVE Name: CVE-2013-2266 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. The libdns library is a library of DNS protocol support functions. II. This affects both recursive and authoritative servers. III. Impact A remote attacker can cause the named(8) daemon to consume all available memory and crash, resulting in a denial of service. Applications linked with the libdns library, for instance dig(1), may also be affected. IV. Workaround No workaround is available, but systems not running named(8) service and not using base system DNS utilities are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:04/bind.patch # fetch http://security.FreeBSD.org/patches/SA-13:04/bind.patch.asc # gpg --verify bind.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch Recompile the operating system using buildworld and installworld as described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r248807 stable/9/ r248808 releng/9.0/ r249029 releng/9.1/ r249029 - ------------------------------------------------------------------------- VII. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201401-34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: BIND: Denial of Service Date: January 29, 2014 Bugs: #437828, #446094, #453974, #463497, #478316, #483208, #498016 ID: 201401-34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in BIND, possibly resulting in Denial of Service. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-dns/bind < 9.9.4_p2 >= 9.9.4_p2 Description =========== Multiple vulnerabilities have been discovered in BIND. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All BIND users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-dns/bind-9.9.4_p2" References ========== [ 1 ] CVE-2012-5166 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5166 [ 2 ] CVE-2012-5688 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5688 [ 3 ] CVE-2012-5689 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5689 [ 4 ] CVE-2013-2266 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2266 [ 5 ] CVE-2013-3919 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3919 [ 6 ] CVE-2013-4854 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4854 [ 7 ] CVE-2014-0591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0591 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201401-34.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

Failure to Handle Exceptional Conditions

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Matthew Horsfall of Dyn, Inc.

SOURCES

LAST UPDATE DATE

2025-06-26T21:00:08.019000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE