Bug 658974 (CVE-2010-3613)
Summary: | CVE-2010-3613 bind: failure to clear existing RRSIG records when a NO DATA is negatively cached could DoS named | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||||
Severity: | high | Docs Contact: | |||||||||
Priority: | high | ||||||||||
Version: | unspecified | CC: | atkac, cwebster, jlieskov, mcermak, rphipps+bugzredhat, tomichi | ||||||||
Target Milestone: | --- | Keywords: | Reopened, Security | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2010-12-22 15:33:01 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | 658987, 658990, 659266, 659267, 659268, 659269, 659270, 663898, 663899 | ||||||||||
Bug Blocks: | |||||||||||
Attachments: |
|
Description
Vincent Danen
2010-12-01 18:08:15 UTC
Created bind tracking bugs for this issue Affects: fedora-14 [bug 658987] Affects: fedora-13 [bug 658990] Created attachment 464204 [details] Patch for 9.7.0 Patch to fix CVE-2010-3613 and CVE-2010-3614 in bind 9.7.0. Extracted from Ubuntu update USN-1025-1. Created attachment 464237 [details]
Patch
Does this also affect RHEL5's bind-9.3.6-4.P1.el5_4.2 ? (In reply to comment #5) > Does this also affect RHEL5's bind-9.3.6-4.P1.el5_4.2 ? Yes, RHEL5's bind is also affected. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0975 https://rhn.redhat.com/errata/RHSA-2010-0975.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0976 https://rhn.redhat.com/errata/RHSA-2010-0976.html What about RHEL4? Red Hat CVE database does not mention whether bind-9.2.4-30.el4_8.5.i386.rpm is vulnerable to CVE-2010-3613 or CVE-2010-3614. Government systems must be patched or provide a vendor statement that RHEL4 is not affected. Red Hat Enterprise Linux 4 is affected, but in a different way: Main problem is the attacker can be owner of a nameserver of a certain public domain and he can temporarily sign the domain via old and deprecated DNSSEC. In this case he can use that domain to DoS BIND in the RHEL-4. Although it is unlikely scenario (attacker has to control NS of some domain and has to have recursive perms on the DoS-ed nameserver), it might happen. We will be patching RHEL4. As for CVE-2010-3614, a statement was made regarding that flaw's affects: "There's no plan to address this low-impact flaw in Red Hat Enterprise Linux 4, where bind does not implement support for currently used DNSSEC protocol version." (https://bugzilla.redhat.com/show_bug.cgi?id=658977#c7) I have made an official statement in that bug which will show up on the CVE pages. Thank you for bringing that to our attention. This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:1000 https://rhn.redhat.com/errata/RHSA-2010-1000.html |