bind: BIND named can crash due to a defect in EDNS printing processing (CVE-2014-3859)
A query specially crafted to exploit a defect in EDNS option processing can cause named to terminate with an assertion failure.
Impact:
Both authoritative and recursive servers are vulnerable to this defect. Exploitation of this condition can cause a denial of service in nameservers running affected versions of BIND 9.10. Access Control Lists do not provide protection.
The bug which causes this condition is in libdns; consequently in addition to the named server process other applications (for example: dig and delv) built using the libdns library from the affected source distributions can also be forced to crash with assertion failures triggered in the same fashion.
Solution:
Upgrade to the patched release most closely related to your current version of BIND. Open source versions can all be downloaded from http://www.isc.org/downloads. BIND 9 version 9.10.0-P2
(from redmine: issue id 3033, created on 2014-06-12, closed on 2014-06-24)
- Relations:
- child #3034 (closed)
- child #3035 (closed)
- child #3036 (closed)
- child #3037 (closed)
- Changesets:
- Revision ff22ce97 by Natanael Copa on 2014-06-12T14:47:32Z:
main/bind: security upgrade to 9.10.0_p2 (CVE-2014-3859)
fixes #3033