Description: A vulnerability been reported in ISC BIND, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the handling of the TSIG in the second or subsequent messages in a zone transfer. This can be exploited to crash "named" via a malformed TSIG in the messages. Successful exploitation requires that the first zone transfer message have a valid TSIG. Solution: The vulnerability will reportedly be fixed in a future release. Do not accept zone-transfers from non-trusted nameservers. Provided and/or discovered by: Reported by vendor based on DNS Test Tool created by Oulu University Secure Programming Group. Original Advisory: NISCC: http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en
i mark it as a B3 and not A3, since the attacker must be authorized for zone transfer, and have valid TSIG.
This is CVE-2006-2073. It may be fixed in an upcoming release, if this corresponds : * Handle unexpected TSIGs on unsigned AXFR/IXFR responses more gracefully. [RT #15941]
Still nothing upstream apparently (according to Secunia).
fyi: 9.2.7/9.3.3 added to portage.
x86 stable for both versions
IMHO this is not fixed upstream yet.
(In reply to comment #6) > IMHO this is not fixed upstream yet. > and according to secunia too
seems that version 9.4 fixes it: http://www.isc.org/index.pl?/sw/bind/
Pierre-Yves do you have a more exact reference?
hmm sorry the link doesn't work (perl url...crap). But if you click on "BIND 9.4.0" under current release, and then scroll down to the release notes, you see: 2066. [security] Handle SIG queries gracefully. [RT #16300] So I think 9.4.0 is ok
sorry I misread, in fact it's not entry 2066 but 2013: 2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR responses more gracefully. [RT #15941] Fixed in 9.4.0a5.
Thx that is all I need. Bind what are your plans on stabling 9.4?
Thanks Pierre-Yves; voxus / bind team, any decision here?
any news here? I see that ~9.4.1 is in the tree, is it ok for asking stabilisation?
I run BIND 9.4.1 on x86. As the junior member of the bind herd, I support stabilization. :)
Bind what are your plans on stabling 9.4?
i'm a (rather *silent* listener-)member of the BIND herd, as I've to do really *much* of DNS administration at work. however, I don't feel well in stabelizing an arch I'm not on, so I stabelized for amd64 for bind and bind-tools as I'm already using them quite a while now. So it's stable on: alpha amd64 ppc64 sparc x86 and still testing on: ~hppa ~ia64 ~mips ~ppc looks to me, as if the main archs already stabelized bind so far, jaervosz.
CCing arch, so they do know about.
ppc stable as per #181556
Sorry Christian, I didn't check wether it was stabled since I first started asking and I even upgraded to 9.4 myself, duh! This one is ready for GLSA decision. I vote NO.
Stable on hppa.
I tend to vote NO.
mips stable on both bind and bind-tools.
ia64 stable
Security please vote.
I also vote no, since the remote server has to already be authorized for zone transfer.
2 NO votes, closing without glsa. feel free to reopen if you disagree.
