FreeBSD-SA-12:06.bind

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-12:06.bind Security Advisory
The FreeBSD Project

Topic: Multiple Denial of Service vulnerabilities with named(8)

Category: contrib
Module: bind
Announced: 2012-11-22
Affects: All supported versions of FreeBSD before 9.1-RC2.
Corrected: 2012-11-22 23:15:38 UTC (RELENG_7, 7.4-STABLE)
2012-11-22 22:52:15 UTC (RELENG_7_4, 7.4-RELEASE-p11)
2012-10-11 13:25:09 UTC (RELENG_8, 8.3-STABLE)
2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5)
2012-10-10 19:50:15 UTC (RELENG_9, 9.1-PRERELEASE)
2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1)
CVE Name: CVE-2012-4244, CVE-2012-5166

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

II. Problem Description

The BIND daemon would crash when a query is made on a resource record
with RDATA that exceeds 65535 bytes.

The BIND daemon would lock up when a query is made on specific
combinations of RDATA.

III. Impact

A remote attacker can query a resolving name server to retrieve a record
whose RDATA is known to be larger than 65535 bytes, thereby causing the
resolving server to crash via an assertion failure in named.

An attacker who is in a position to add a record with RDATA larger than
65535 bytes to an authoritative name server can cause that server to
crash by later querying for that record.

The attacker can also cause the server to lock up with specific
combinations of RDATA.

IV. Workaround

No workaround is available, but systems not running the BIND name
server are not affected.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, or RELENG_9_0 security branch dated
after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4,
8.3, and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:06/bind.patch # fetch http://security.FreeBSD.org/patches/SA-12:06/bind.patch.asc
b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 9.0-RELEASE, or 9.1-RC1 on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

4) Install and run BIND from the Ports Collection after the correction
date. The following versions and newer versions of BIND installed from
the Ports Collection are not affected by this vulnerability:

bind96-9.6.3.1.ESV.R7.4
bind97-9.7.6.4
bind98-9.8.3.4
bind99-9.9.1.4

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Subversion:

Branch/path Revision
– ————————————————————————-
stable/7/ r243418
releng/7.4/ r243417
stable/8/ r241443
releng/8.3/ r243417
stable/9/ r241415
releng/9.0/ r243417
releng/9.1/ r243417
– ————————————————————————-

VII. References

https://kb.isc.org/article/AA-00778 https://kb.isc.org/article/AA-00801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4244 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:06.bind.asc

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9

iEYEARECAAYFAlCutVIACgkQFdaIBMps37JhPQCfcwCHE7CxzBnrMdszdFYODgQs
1+kAn316Rx2d0Ecig5JHUR3broq5Hpog
=EklC
—–END PGP SIGNATURE—–

FreeBSD-SA-12:05.bind

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-12:05.bind Security Advisory
The FreeBSD Project

Topic: named(8) DNSSEC validation Denial of Service

Category: contrib
Module: bind
Announced: 2012-08-06
Credits: Einar Lonn of IIS.se
Affects: All supported versions of FreeBSD
Corrected: 2012-08-06 21:33:11 UTC (RELENG_7, 7.4-STABLE)
2012-08-06 21:33:11 UTC (RELENG_7_4, 7.4-RELEASE-p10)
2012-07-24 19:04:35 UTC (RELENG_8, 8.3-STABLE)
2012-08-06 21:33:11 UTC (RELENG_8_3, 8.3-RELEASE-p4)
2012-08-06 21:33:11 UTC (RELENG_8_2, 8.2-RELEASE-p10)
2012-08-06 21:33:11 UTC (RELENG_8_1, 8.1-RELEASE-p13)
2012-07-24 22:32:03 UTC (RELENG_9, 9.1-PRERELEASE)
2012-08-06 21:33:11 UTC (RELENG_9_0, 9.0-RELEASE-p4)
CVE Name: CVE-2012-3817

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.

II. Problem Description

BIND 9 stores a cache of query names that are known to be failing due
to misconfigured name servers or a broken chain of trust. Under high
query loads, when DNSSEC validation is active, it is possible for a
condition to arise in which data from this cache of failing queries
could be used before it was fully initialized, triggering an assertion
failure.

III. Impact

A remote attacker that is able to generate high volume of DNSSEC
validation enabled queries can trigger the assertion failure that causes
it to crash, resulting in a denial of service.

IV. Workaround

No workaround is available, but systems not running the BIND resolving
name server with dnssec-validation enabled are not affected.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, or RELENG_9_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4,
8.3, 8.2, 8.1 and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:05/bind.patch # fetch http://security.FreeBSD.org/patches/SA-12:05/bind.patch.asc
b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind/dns
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE,
or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

4) Install and run BIND from the Ports Collection after the correction
date. The following versions and newer versions of BIND installed from
the Ports Collection are not affected by this vulnerability:

bind96-9.6.3.1.ESV.R7.2
bind97-9.7.6.2
bind98-9.8.3.2
bind99-9.9.1.2

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
– ————————————————————————-
RELENG_7
src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.11
RELENG_7_4
src/UPDATING 1.507.2.36.2.12
src/sys/conf/newvers.sh 1.72.2.18.2.15
src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.8.2.1
RELENG_8
src/contrib/bind9/CHANGES 1.9.2.15
src/contrib/bind9/lib/dns/resolver.c 1.3.2.6
src/contrib/bind9/lib/dns/zone.c 1.6.2.10
src/contrib/bind9/lib/isc/random.c 1.2.2.4
src/contrib/bind9/version 1.9.2.15
RELENG_8_3
src/UPDATING 1.632.2.26.2.6
src/sys/conf/newvers.sh 1.83.2.15.2.8
src/contrib/bind9/lib/dns/resolver.c 1.6.2.7.2.1
RELENG_8_2
src/UPDATING 1.632.2.19.2.12
src/sys/conf/newvers.sh 1.83.2.12.2.15
src/contrib/bind9/lib/dns/resolver.c 1.6.2.4.2.1
RELENG_8_1
src/UPDATING 1.632.2.14.2.16
src/sys/conf/newvers.sh 1.83.2.10.2.17
src/contrib/bind9/lib/dns/resolver.c 1.6.2.3.2.1
RELENG_9
src/contrib/bind9/CHANGES 1.21.2.5
src/contrib/bind9/lib/dns/resolver.c 1.15.2.3
src/contrib/bind9/lib/dns/zone.c 1.7.2.3
src/contrib/bind9/version 1.21.2.5
RELENG_9_0
src/UPDATING 1.702.2.4.2.6
src/sys/conf/newvers.sh 1.95.2.4.2.8
src/contrib/bind9/lib/dns/resolver.c 1.15.4.1
– ————————————————————————-

Subversion:

Branch/path Revision
– ————————————————————————-
stable/7/ r239108
releng/7.4/ r239108
stable/8/ r238749
releng/8.3/ r239108
releng/8.2/ r239108
releng/8.1/ r239108
stable/9/ r238756
releng/9.0/ r239108
– ————————————————————————-

VII. References

https://kb.isc.org/article/AA-00729
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3817
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:05.bind.asc

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9

iEYEARECAAYFAlAgP6kACgkQFdaIBMps37KLuQCfdF1xHFsD5vgeWKeTfPo1z0UG
XN8AnRZQy5itaoFPFALXoDy3ZnZ5qA1t
=hvTi
—–END PGP SIGNATURE—–

FreeBSD-SA-12:03.bind

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-12:03.bind Security Advisory
The FreeBSD Project

Topic: Incorrect handling of zero-length RDATA fields in named(8)

Category: contrib
Module: bind
Announced: 2012-06-12
Credits: Dan Luther, Jeffrey A. Spain
Affects: All supported versions of FreeBSD
Corrected: 2012-06-12 12:10:10 UTC (RELENG_7, 7.4-STABLE)
2012-06-12 12:10:10 UTC (RELENG_7_4, 7.4-RELEASE-p9)
2012-06-04 22:21:55 UTC (RELENG_8, 8.3-STABLE)
2012-06-12 12:10:10 UTC (RELENG_8_3, 8.3-RELEASE-p3)
2012-06-12 12:10:10 UTC (RELENG_8_2, 8.2-RELEASE-p9)
2012-06-12 12:10:10 UTC (RELENG_8_1, 8.1-RELEASE-p11)
2012-06-04 22:14:33 UTC (RELENG_9, 9.0-STABLE)
2012-06-12 12:10:10 UTC (RELENG_9_0, 9.0-RELEASE-p3)
CVE Name: CVE-2012-1667

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

II. Problem Description

The named(8) server does not properly handle DNS resource records where
the RDATA field is zero length, which may cause various issues for the
servers handling them.

III. Impact

Resolving servers may crash or disclose some portion of memory to the
client. Authoritative servers may crash on restart after transferring a
zone containing records with zero-length RDATA fields. These would
result in a denial of service, or leak of sensitive information.

IV. Workaround

No workaround is available, but systems not running the BIND name
server are not affected.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, or RELENG_9_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4,
8.3, 8.2, 8.1 and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, and 8.1-RELEASE]
# fetch http://security.FreeBSD.org/patches/SA-12:03/bind.patch # fetch http://security.FreeBSD.org/patches/SA-12:03/bind.patch.asc
[FreeBSD 9.0-RELEASE]
# fetch http://security.FreeBSD.org/patches/SA-12:03/bind-90.patch # fetch http://security.FreeBSD.org/patches/SA-12:03/bind-90.patch.asc
b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind/
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE,
or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

4) Install and run BIND from the Ports Collection after the correction
date. The following versions and newer versions of BIND installed from
the Ports Collection are not affected by this vulnerability:

bind96-9.6.3.1.ESV.R7.1
bind97-9.7.6.1
bind98-9.8.3.1
bind99-9.9.1.1

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
– ————————————————————————-
RELENG_7
src/contrib/bind9/lib/dns/rdata.c 1.1.1.5.2.4
src/contrib/bind9/lib/dns/rdataslab.c 1.1.1.2.2.5
RELENG_7_4
src/UPDATING 1.507.2.36.2.11
src/sys/conf/newvers.sh 1.72.2.18.2.14
src/contrib/bind9/lib/dns/rdata.c 1.1.1.5.2.1.2.1
src/contrib/bind9/lib/dns/rdataslab.c 1.1.1.2.2.3.2.1
RELENG_8
src/contrib/bind9/lib/dns/rdata.c 1.2.2.4
src/contrib/bind9/lib/dns/rdataslab.c 1.2.2.5
RELENG_8_3
src/UPDATING 1.632.2.26.2.5
src/sys/conf/newvers.sh 1.83.2.15.2.7
src/contrib/bind9/lib/dns/rdata.c 1.2.2.2.2.1
src/contrib/bind9/lib/dns/rdataslab.c 1.2.2.3.2.1
RELENG_8_2
src/UPDATING 1.632.2.19.2.11
src/sys/conf/newvers.sh 1.83.2.12.2.14
src/contrib/bind9/lib/dns/rdata.c 1.2.8.1
src/contrib/bind9/lib/dns/rdataslab.c 1.2.2.2.2.1
RELENG_8_1
src/UPDATING 1.632.2.14.2.14
src/sys/conf/newvers.sh 1.83.2.10.2.15
src/contrib/bind9/lib/dns/rdata.c 1.2.6.1
src/contrib/bind9/lib/dns/rdataslab.c 1.2.2.1.2.1
RELENG_9
src/contrib/bind9/lib/dns/rdata.c 1.5.2.2
src/contrib/bind9/lib/dns/rdataslab.c 1.7.2.2
RELENG_9_0
src/UPDATING 1.702.2.4.2.5
src/sys/conf/newvers.sh 1.95.2.4.2.7
src/contrib/bind9/lib/dns/rdata.c 1.5.4.1
src/contrib/bind9/lib/dns/rdataslab.c 1.7.4.1
– ————————————————————————-

Subversion:

Branch/path Revision
– ————————————————————————-
stable/7/ r236953
releng/7.4/ r236953
stable/8/ r236590
releng/8.3/ r236953
releng/8.2/ r236953
releng/8.1/ r236953
stable/9/ r236587
releng/9.0/ r236953
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1667 http://www.isc.org/software/bind/advisories/cve-2012-1667
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:03.bind.asc

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (FreeBSD)

iEYEARECAAYFAk/XQGEACgkQFdaIBMps37LU+gCfcP1MdQy8s5gjNWJfW+BiP6oI
CWkAnRZzIRxAKWgD2spPAuBu04S9ZQkA
=aI2g
—–END PGP SIGNATURE—–

FreeBSD-SA-11:03.bind

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-11:03.bind Security Advisory
The FreeBSD Project

Topic: Remote packet Denial of Service against named(8) servers

Category: contrib
Module: bind
Announced: 2011-09-28
Credits: Roy Arends
Affects: 8.2-STABLE after 2011-05-28 and prior to the correction date
Corrected: 2011-07-06 00:50:54 UTC (RELENG_8, 8.2-STABLE)
CVE Name: CVE-2011-2464

Note: This advisory concerns a vulnerability which existed only in
the FreeBSD 8-STABLE branch and was fixed over two months prior to the
date of this advisory.

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

II. Problem Description

A logic error in the BIND code causes the BIND daemon to accept bogus
data, which could cause the daemon to crash.

III. Impact

An attacker able to send traffic to the BIND daemon can cause it to
crash, resulting in a denial of service.

IV. Workaround

No workaround is available, but systems not running the BIND name server
are not affected.

V. Solution

Upgrade your vulnerable system to 8-STABLE dated after the correction
date.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
– ————————————————————————-
RELENG_8
src/contrib/bind9/lib/dns/message.c 1.3.2.3
– ————————————————————————-

Subversion:

Branch/path
Revision
– ————————————————————————-
stable/8/ r223815
– ————————————————————————-

VII. References

http://www.isc.org/software/bind/advisories/cve-2011-2464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:03.bind.asc —–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.18 (FreeBSD)

iEYEARECAAYFAk6C4CYACgkQFdaIBMps37LwQgCeIDVGsCWOLoVdmWogOOaPC1UG
9G8AoJPlRbNmkEWMg7uoOYrvjWlRRdlK
=aUvD
—–END PGP SIGNATURE—–

原文链接:http://security.freebsd.org/advisories/FreeBSD-SA-11:03.bind.asc

FreeBSD-SA-11:02.bind

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-11:02.bind                                       Security Advisory
                                                          The FreeBSD Project

Topic:          BIND remote DoS with large RRSIG RRsets and negative caching

Category:       contrib
Module:         bind
Announced:      2011-05-28
Credits:        Frank Kloeker, Michael Sinatra.
Affects:        All supported versions of FreeBSD.
Corrected:      2011-05-28 00:58:19 UTC (RELENG_7, 7.4-STABLE)
                2011-05-28 08:44:39 UTC (RELENG_7_3, 7.3-RELEASE-p6)
                2011-05-28 08:44:39 UTC (RELENG_7_4, 7.4-RELEASE-p2)
                2011-05-28 00:33:06 UTC (RELENG_8, 8.2-STABLE)
                2011-05-28 08:44:39 UTC (RELENG_8_1, 8.1-RELEASE-p4)
                2011-05-28 08:44:39 UTC (RELENG_8_2, 8.2-RELEASE-p2)
CVE Name:       CVE-2011-1910

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.

II.  Problem Description

Very large RRSIG RRsets included in a negative response can trigger
an assertion failure that will crash named(8) due to an off-by-one error
in a buffer size check.

III. Impact

If named(8) is being used as a recursive resolver, an attacker who
controls a DNS zone being resolved can cause named(8) to crash,
resulting in a denial of (DNS resolving) service.

DNSSEC does not need to be enabled on the resolver for it to be
vulnerable.

IV.  Workaround

No workaround is available, but systems not running the BIND DNS server
or using it exclusively as an authoritative name server (i.e., not as a
caching resolver) are not vulnerable.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE,
or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD
7.3, 7.4, 8.1 and 8.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-11:02/bind.patch
# fetch http://security.FreeBSD.org/patches/SA-11:02/bind.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart

3) To update your vulnerable system via a binary patch:

Systems running 7.3-RELEASE, 7.4-RELEASE, 8.1-RELEASE, or 8.2-RELEASE
on the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_7
  src/contrib/bind9/lib/dns/ncache.c                          1.1.1.2.2.3
RELENG_7_4
  src/UPDATING                                             1.507.2.36.2.4
  src/sys/conf/newvers.sh                                   1.72.2.18.2.7
  src/contrib/bind9/lib/dns/ncache.c                      1.1.1.2.2.2.2.1
RELENG_7_3
  src/UPDATING                                             1.507.2.34.2.8
  src/sys/conf/newvers.sh                                  1.72.2.16.2.10
  src/contrib/bind9/lib/dns/ncache.c                         1.1.1.2.10.1
RELENG_8
  src/contrib/bind9/lib/dns/ncache.c                              1.2.2.4
RELENG_8_2
  src/UPDATING                                             1.632.2.19.2.4
  src/sys/conf/newvers.sh                                   1.83.2.12.2.7
  src/contrib/bind9/lib/dns/ncache.c                          1.2.2.2.2.1
RELENG_8_1
  src/UPDATING                                             1.632.2.14.2.7
  src/sys/conf/newvers.sh                                   1.83.2.10.2.8
  src/contrib/bind9/lib/dns/ncache.c                          1.2.2.1.2.1
- -------------------------------------------------------------------------

Subversion:

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/7/                                                         r222399
releng/7.4/                                                       r222416
releng/7.3/                                                       r222416
stable/8/                                                         r222396
releng/8.2/                                                       r222416
releng/8.1/                                                       r222416
head/                                                             r222395
- -------------------------------------------------------------------------

VII. References

http://www.isc.org/software/bind/advisories/cve-2011-1910
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1910

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-11:02.bind.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9

iEYEARECAAYFAk3gvuQACgkQFdaIBMps37L2iACgizZK4QS3rOaY0x7evMuyWIop
OaoAn3Pku/9HCSUULC2xurSnGU3AtJcz
=aG4/
-----END PGP SIGNATURE-----

 

原文链接:http://security.freebsd.org/advisories/FreeBSD-SA-11:02.bind.asc

FreeBSD Name Server配置

FreeBSD系统自带BIND软件,我们编辑/etc/namedb/named.conf即可设置BIND。

把默认的named.conf作个备份
cp /etc/namedb/named.conf /etc/namedb/named.conf.default

修改named.conf
options选项增加
allow-query     { any; };
recursion       no;        // 不提供递归服务
去掉
listen-on       { 127.0.0.1; };

域名记录增加
zone “bsdartbsdart.org” {
type master;
file “bsdart/bsdart.org.db”;
};

zone “23.51.210.in-addr.arpa” {
type master;
file “bsdart/bsdart.org.rev”;
};

新建bsdart目录
mkdir /etc/namedb/bsdart
chown -R bind:wheel /etc/namedb/bsdart

cd /etc/namedb/bsdart
vi bsdart.org.db
$TTL 3600
bsdart.org.     IN      SOA     dns.bsdart.org. admin.bsdart.org. (
2009070901      ; Serial
10800           ; Refresh
3600            ; Retry
604800          ; Expire
300 )           ; Negative Reponse TTL
; DNS Servers
IN      NS      dns.bsdart.org.
; MX Records
IN      MX 10   mail.bsdart.org.

IN      A       210.51.23.23
; Machine Names
localhost       IN      A       127.0.0.1
mail            IN      A       210.51.23.23
dns             IN      A       210.51.23.23
; Aliases
www             IN      CNAME   bsdart.org.

vi bsdart.org.rev
$TTL 3600
23.51.210.in-addr.arpa. IN SOA dns.bsdart.org. admin.bsdart.org. (
2009070901      ; Serial
10800           ; Refresh
3600            ; Retry
604800          ; Expire
300 )           ; Negative Reponse TTL
IN      NS      dns.bsdart.org.
23      IN      PTR     mail.bsdart.org.

vi /etc/rc.conf
新增
named_enable=”YES”

原文链接:http://garey.bsdart.org/2009/12/freebsd-name-server%E9%85%8D%E7%BD%AE/

FreeBSD-SA-10:01.bind

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-10:01.bind                                       Security Advisory
The FreeBSD Project

Topic:          BIND named(8) cache poisoning with DNSSEC validation

Category:       contrib
Module:         bind
Announced:      2010-01-06
Credits:        Michael Sinatra
Affects:        All supported versions of FreeBSD.
Corrected:      2009-12-11 01:23:58 UTC (RELENG_8, 8.0-STABLE)
2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2)
2009-12-11 02:23:04 UTC (RELENG_7, 7.2-STABLE)
2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6)
2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10)
2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE)
2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9)
2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15)
CVE Name:       CVE-2009-4022

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.

II.  Problem Description

If a client requests DNSSEC records with the Checking Disabled (CD) flag
set, BIND may cache the unvalidated responses.  These responses may later
be returned to another client that has not set the CD flag.

III. Impact

If a client can send such queries to a server, it can exploit this
problem to mount a cache poisoning attack, seeding the cache with
unvalidated information.

IV.  Workaround

Disabling DNSSEC validation will prevent BIND from caching unvalidated
records, but also prevent DNSSEC authentication of records.  Systems not
using DNSSEC validation are not affected.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE,
or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or
RELENG_6_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.1, 7.2, and 8.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 6.3]
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch.asc

[FreeBSD 6.4]
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch.asc

[FreeBSD 7.1]
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch.asc

[FreeBSD 7.2]
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch.asc

[FreeBSD 8.0]
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch
# fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart

NOTE WELL: Users running FreeBSD 6 and using DNSSEC are advised to get
a more recent BIND version with more complete DNSSEC support.  This
can be done either by upgrading to FreeBSD 7.x or later, or installing
BIND for the FreeBSD Ports Collection.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
Path
– ————————————————————————-
RELENG_6
src/contrib/bind9/lib/dns/rbtdb.c                           1.1.1.1.4.4
src/contrib/bind9/lib/dns/include/dns/types.h               1.1.1.1.4.2
src/contrib/bind9/lib/dns/resolver.c                       1.1.1.2.2.11
src/contrib/bind9/lib/dns/masterdump.c                      1.1.1.1.4.3
src/contrib/bind9/lib/dns/validator.c                       1.1.1.2.2.6
src/contrib/bind9/bin/named/query.c                         1.1.1.1.4.7
RELENG_6_4
src/UPDATING                                            1.416.2.40.2.13
src/sys/conf/newvers.sh                                  1.69.2.18.2.15
src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.1.4.3.2.1
src/contrib/bind9/lib/dns/include/dns/types.h           1.1.1.1.4.1.4.1
src/contrib/bind9/lib/dns/resolver.c                    1.1.1.2.2.9.2.1
src/contrib/bind9/lib/dns/masterdump.c                  1.1.1.1.4.1.4.1
src/contrib/bind9/lib/dns/validator.c                   1.1.1.2.2.4.2.1
src/contrib/bind9/bin/named/query.c                     1.1.1.1.4.5.2.1
RELENG_6_3
src/UPDATING                                            1.416.2.37.2.20
src/sys/conf/newvers.sh                                  1.69.2.15.2.19
src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.1.4.2.2.1
src/contrib/bind9/lib/dns/include/dns/types.h           1.1.1.1.4.1.2.1
src/contrib/bind9/lib/dns/resolver.c                    1.1.1.2.2.6.2.2
src/contrib/bind9/lib/dns/masterdump.c                  1.1.1.1.4.1.2.1
src/contrib/bind9/lib/dns/validator.c                   1.1.1.2.2.3.2.1
src/contrib/bind9/bin/named/query.c                     1.1.1.1.4.4.2.1
RELENG_7
src/contrib/bind9/lib/dns/rbtdb.c                           1.1.1.4.2.4
src/contrib/bind9/lib/dns/include/dns/types.h               1.1.1.3.2.2
src/contrib/bind9/lib/dns/resolver.c                        1.1.1.9.2.6
src/contrib/bind9/lib/dns/masterdump.c                      1.1.1.3.2.3
src/contrib/bind9/lib/dns/validator.c                       1.1.1.6.2.5
src/contrib/bind9/bin/named/query.c                         1.1.1.6.2.4
RELENG_7_2
src/UPDATING                                             1.507.2.23.2.9
src/sys/conf/newvers.sh                                  1.72.2.11.2.10
src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.4.2.2.2.1
src/contrib/bind9/lib/dns/include/dns/types.h               1.1.1.3.8.1
src/contrib/bind9/lib/dns/resolver.c                    1.1.1.9.2.4.2.1
src/contrib/bind9/lib/dns/masterdump.c                  1.1.1.3.2.1.2.1
src/contrib/bind9/lib/dns/validator.c                   1.1.1.6.2.3.2.1
src/contrib/bind9/bin/named/query.c                     1.1.1.6.2.2.2.1
RELENG_7_1
src/UPDATING                                            1.507.2.13.2.13
src/sys/conf/newvers.sh                                   1.72.2.9.2.14
src/contrib/bind9/lib/dns/rbtdb.c                       1.1.1.4.2.1.4.1
src/contrib/bind9/lib/dns/include/dns/types.h               1.1.1.3.6.1
src/contrib/bind9/lib/dns/resolver.c                    1.1.1.9.2.3.2.1
src/contrib/bind9/lib/dns/masterdump.c                      1.1.1.3.6.1
src/contrib/bind9/lib/dns/validator.c                   1.1.1.6.2.1.4.1
src/contrib/bind9/bin/named/query.c                     1.1.1.6.2.1.4.1
RELENG_8
src/contrib/bind9/lib/dns/rbtdb.c                               1.3.2.2
src/contrib/bind9/lib/dns/include/dns/types.h                   1.2.2.2
src/contrib/bind9/lib/dns/resolver.c                            1.6.2.2
src/contrib/bind9/lib/dns/masterdump.c                          1.3.2.2
src/contrib/bind9/lib/dns/validator.c                           1.4.2.2
src/contrib/bind9/bin/named/query.c                             1.3.2.2
RELENG_8_0
src/UPDATING                                              1.632.2.7.2.5
src/sys/conf/newvers.sh                                    1.83.2.6.2.5
src/contrib/bind9/lib/dns/rbtdb.c                               1.3.4.1
src/contrib/bind9/lib/dns/include/dns/types.h                   1.2.4.1
src/contrib/bind9/lib/dns/resolver.c                            1.6.4.1
src/contrib/bind9/lib/dns/masterdump.c                          1.3.4.1
src/contrib/bind9/lib/dns/validator.c                           1.4.4.1
src/contrib/bind9/bin/named/query.c                             1.3.4.1
– ————————————————————————-

Subversion:

Branch/path                                                      Revision
– ————————————————————————-
stable/6/                                                         r200394
releng/6.4/                                                       r201679
releng/6.3/                                                       r201679
stable/7/                                                         r200393
releng/7.2/                                                       r201679
releng/7.1/                                                       r201679
stable/8/                                                         r200383
releng/8.0/                                                       r201679
head/                                                             r199958
– ————————————————————————-

VII. References

https://www.isc.org/node/504
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:01.bind.asc
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (FreeBSD)

iD8DBQFLRQ9dFdaIBMps37IRAip+AJ0S55AYqLsrwrLLMo8Qi6fGxoH7EQCfU/6K
RUb5Kn+O1qc/FUzEQ12AmrA=
=Pfoo
—–END PGP SIGNATURE—–

原文链接:http://security.freebsd.org/advisories/FreeBSD-SA-10:01.bind.asc