BIND query_addsoa() Bug Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1017985 |
|
SecurityTracker URL: http://securitytracker.com/id/1017985
|
|
CVE Reference:
CVE-2007-2241
(Links to External Site)
|
Updated: May 19 2008
|
Original Entry Date: May 1 2007
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 9.4.0
|
Description:
A vulnerability was reported in BIND. A remote user can cause denial of service conditions.
A remote user can send specially crafted DNS queries to trigger an assertion failure in the query_addsoa() function in 'query.c' and cause the target service to crash.
The vendor was notified on April 29, 2007 (UTC).
Shumon Huque reported this vulnerability.
|
Impact:
A remote user can cause the target name server to crash.
|
Solution:
The vendor has issued a fixed version (9.4.1).
|
Vendor URL: www.isc.org/sw/bind/view/?release=9.4.1#RELEASE (Links to External Site)
|
Cause:
Exception handling error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 30 Apr 2007 23:32:01 -0400
Subject: BIND
|
> BIND 9.4.1 is now available.
> BIND 9.4.1 is a security release of BIND 9, containing a
> fix for a vulnerability in BIND 9.4.0:
> 2172. [bug] query_addsoa() was being called with a non zone db.
> [RT #16834]
|
|
