SUSE-SR:2011:005

43439

43443

DSA-2208

http://www.isc.org/software/bind/advisories/cve-2011-0414

VU#449980

VU#559980

1025110

USN-1070-1

ADV-2011-0466

ADV-2011-0489

https://bugzilla.redhat.com/show_bug.cgi?id=679496

The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2020-0021 for details.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Fix CVE-2017-3136 (ISC change 4575)

  - Fix CVE-2017-3137 (ISC change 4578)

  - Fix and test caching CNAME before DNAME (ISC change     4558)

  - Fix CVE-2016-9147 (ISC change 4510)

  - Fix regression introduced by CVE-2016-8864 (ISC change     4530)

  - Restore SELinux contexts before named restart

  - Use /lib or /lib64 only if directory in chroot already     exists

  - Tighten NSS library pattern, escape chroot mount path

  - Fix (CVE-2016-8864)

  - Do not change lib permissions in chroot (#1321239)

  - Support WKS records in chroot (#1297562)

  - Do not include patch backup in docs (fixes #1325081     patch)

  - Backported relevant parts of [RT #39567] (#1259923)

  - Increase ISC_SOCKET_MAXEVENTS to 2048 (#1326283)

  - Fix multiple realms in nsupdate script like upstream     (#1313286)

  - Fix multiple realm in nsupdate script (#1313286)

  - Use resolver-query-timeout high enough to recover all     forwarders (#1325081)

  - Fix (CVE-2016-2848)

  - Fix infinite loop in start_lookup (#1306504)

  - Fix (CVE-2016-2776)

This bind update fixes a remote denial of service vulnerability that can be triggered using an IXFR or DDNS update. (CVE-2011-0414: CVSS v2 Base Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C))

The remote host is affected by the vulnerability described in GLSA-201206-01 (BIND: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in BIND. Please review the       CVE identifiers referenced below for details.
  Impact :

    The vulnerabilities allow remote attackers to cause a Denial of Service       (daemon crash) via a DNS query, to bypass intended access restrictions,       to incorrectly cache a ncache entry and a rrsig for the same type and to       incorrectly mark zone data as insecure.
  Workaround :

    There is no known workaround at this time.

It was discovered that BIND, a DNS server, contains a race condition when processing zones updates in an authoritative server, either through dynamic DNS updates or incremental zone transfer (IXFR). Such an update while processing a query could result in deadlock and denial of service. (CVE-2011-0414 )

In addition, this security update addresses a defect related to the processing of new DNSSEC DS records by the caching resolver, which may lead to name resolution failures in the delegated zone. If DNSSEC validation is enabled, this issue can make domains ending in .COM unavailable when the DS record for .COM is added to the DNS root zone on March 31st, 2011. An unpatched server which is affected by this issue can be restarted, thus re-enabling resolution of .COM domains.
This workaround applies to the version in oldstable, too.

Configurations not using DNSSEC validations are not affected by this second issue.

The remote host is running Bind, a popular name server. Versions of Bind 9.7.1-9.7.2-P3 are affected by a denial of service vulnerability.  There is a small window of time after an authoritative server processes a successful IXFR transfer or a dynamic update during which the IXFR / update coupled with a query may cause a deadlock to occur.  A server experiencing a high query and/or update rate will have a higher chance of being deadlocked.

It was discovered that Bind incorrectly handled IXFR transfers and dynamic updates while under heavy load when used as an authoritative server. A remote attacker could use this flaw to cause Bind to stop responding, resulting in a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the remote installation of BIND is affected by a denial of service vulnerability.

There is a small window of time after an authoritative server processes a successful IXFR transfer or a dynamic update during which the IXFR / update coupled with a query may cause a deadlock to occur.
A server experiencing a high query and/or update rate will have a higher chance of being deadlocked.

ID	Name	Product	Family	Severity
137170	OracleVM 3.3 / 3.4 : bind (OVMSA-2020-0021)	Nessus	OracleVM Local Security Checks	high
99569	OracleVM 3.3 / 3.4 : bind (OVMSA-2017-0066)	Nessus	OracleVM Local Security Checks	high
75438	openSUSE Security Update : bind (openSUSE-SU-2011:0135-1)	Nessus	SuSE Local Security Checks	high
59629	GLSA-201206-01 : BIND: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
53224	Debian DSA-2208-1 : bind9 - denial of service	Nessus	Debian Local Security Checks	high
5803	ISC BIND 9.7.1 - 9.7.2-P3 IXFR /DDNS Update Combinded with High Query Rate DoS	Nessus Network Monitor	DNS Servers	medium
52164	Ubuntu 10.10 : bind9 vulnerability (USN-1070-1)	Nessus	Ubuntu Local Security Checks	high
52158	ISC BIND 9.7.1-9.7.2-P3 IXFR / DDNS Update Combined with High Query Rate DoS	Nessus	DNS	high

CVE-2011-0414

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

medium

high

high