[security-alerts] FW: [SA21752] ISC BIND Denial of Service Vulnerabilities

["Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>]

> ----------------------------------------------------------------------
> 
> TITLE:
> ISC BIND Denial of Service Vulnerabilities
> 
> SECUNIA ADVISORY ID:
> SA21752
> 
> VERIFY ADVISORY:
> http://secunia.com/advisories/21752/
> 
> CRITICAL:
> Moderately critical
> 
> IMPACT:
> DoS
> 
> WHERE:
> From remote
> 
> SOFTWARE:
> ISC BIND 9.2.x
> http://secunia.com/product/75/
> ISC BIND 9.3.x
> http://secunia.com/product/4298/
> 
> DESCRIPTION:
> Some vulnerabilities have been reported in BIND, which can be
> exploited by malicious people to cause a DoS (Denial of Service).
> 
> 1) An assertion error within the processing of SIG queries can be
> exploited to crash either a recursive server when more than one
> SIG(covered) Resource Record set (RRset) is returned or an
> authoritative server serving a RFC 2535 DNSSEC zone where there are
> multiple SIG(covered) RRsets.
> 
> 2) An error within the handling of multiple recursive queries can be
> exploited to trigger an INSIST failure by causing the response to the
> query to arrive after all clients looking for the response have left
> the recursion queue.
> 
> NOTE: According to the vendor, the vulnerabilities are likely not
> exploitable in the 9.2.x branch. However, a patch has been provided.
> 
> SOLUTION:
> Update to BIND 9.3.3rc2, BIND 9.3.2-P1, BIND 9.2.7rc1, or BIND
> 9.2.6-P1.
> http://www.isc.org/index.pl?/sw/bind/
> 
> The vulnerabilities have also been fixed in BIND 9.4.0b2.
> 
> PROVIDED AND/OR DISCOVERED BY:
> Reported by the vendor.
> 
> ORIGINAL ADVISORY:
> http://www.isc.org/sw/bind/bind-security.php
> 
> OTHER REFERENCES:
> US-CERT VU#697164:
> http://www.kb.cert.org/vuls/id/697164
> 
> US-CERT VU#915404:
> http://www.kb.cert.org/vuls/id/915404
>