Bug 644907 - VUL-0: bind: DNSSEC denial of service via a recursive validating server
VUL-0: bind: DNSSEC denial of service via a recursive validating server
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
.
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-08 11:35 UTC by Thomas Biege
Modified: 2010-11-04 14:46 UTC (History)
2 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2010-10-08 11:35:56 UTC
Hi.
There is a security bug in package 'bind'.

This bug is public.

There is no coordinated release date (CRD) set.

CVE number: CVE-2010-0213
CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0213

Original posting:


CVE-2010-0213
BIND 9.7.1 and 9.7.1-P1, when a recursive validating server has a trust anchor 
that is configured statically or via DNSSEC Lookaside Validation (DLV), allows 
remote attackers to cause a denial of service (infinite loop) via a query for 
an RRSIG record whose answer is not in the cache, which causes BIND to 
repeatedly send RRSIG queries to the authoritative servers.
Comment 1 Uwe Gansert 2010-10-08 13:32:50 UTC
only openSUSE 11.3 with 9.7.1 is affected
I'll do an update to 9.7.1P2
Comment 2 Uwe Gansert 2010-10-12 08:48:52 UTC
I submitted an updated version (the step from 9.7.1 to 9.7.1-P2 only contains the security fix and two bugfixes - so I don't think a backport makes sense).

openSUSE:11.3:Update:Test

openSUSE 11.3 is the only affected version
Comment 3 Thomas Biege 2010-10-15 08:23:37 UTC
P5 -> P3 mass change
Comment 4 Swamp Workflow Management 2010-10-27 08:50:11 UTC
The SWAMPID for this issue is 36733.
This issue was rated as important.
Please submit fixed packages until 2010-11-03.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 5 Sebastian Krahmer 2010-10-27 09:26:36 UTC
Did you indeed submit for 11.3? The .changes shows something
about bnc#625019.
Comment 6 Uwe Gansert 2010-10-27 09:44:36 UTC
sorry, you are right. I submitted it now
Comment 7 Swamp Workflow Management 2010-10-28 06:19:49 UTC
Update released for: bind, bind-chrootenv, bind-debuginfo, bind-debugsource, bind-devel, bind-doc, bind-libs, bind-libs-debuginfo, bind-lwresd, bind-lwresd-debuginfo, bind-utils, bind-utils-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
Comment 8 Ludwig Nussel 2010-10-28 06:20:09 UTC
released