Slashdot carried this story yesterday on a BIND vulnerability: <http://it.slashdot.org/story/09/07/29/0028231/New-DoS-Vulnerability-In-All-Versions-of-BIND-9> The upstream report: <https://www.isc.org/node/474> Red Hat's Bugzilla: <https://bugzilla.redhat.com/show_bug.cgi?id=514292>>From what I'm reading, if one has an Internet-facing master for a zone, oneis vulnerable, even if dynamic DNS isn't being used.
On 07/29/2009 05:15 PM, Kenneth Porter wrote:> From what I'm reading, if one has an Internet-facing master for a zone, one > is vulnerable, even if dynamic DNS isn't being used.yes, which is one of many reasons why a zone masters is usually setup to not be publicly available. -- Karanbir Singh : http://www.karan.org/ : 2522219 at icq
Kenneth Porter wrote:> Slashdot carried this story yesterday on a BIND vulnerability: > > <http://it.slashdot.org/story/09/07/29/0028231/New-DoS-Vulnerability-In-All-Versions-of-BIND-9> >According to a commenter, this should provide a temporary countermeasure: iptables -A INPUT -p udp --dport 53 -j DROP -m u32 --u32 '30>>27&0xF=5' Haven't tested it, would like to know the results... Glenn> The upstream report: > > <https://www.isc.org/node/474> > > Red Hat's Bugzilla: > > <https://bugzilla.redhat.com/show_bug.cgi?id=514292> > >>From what I'm reading, if one has an Internet-facing master for a zone, one > is vulnerable, even if dynamic DNS isn't being used. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >
In-Reply-To=<4A70B20C.5020808 at karan.org> Reply-To: (Apologies if this isn't in the thread properly; I'm trying to fake it from the website headers :-)) Karanbir Singh wrote:> http://lists.centos.org/pipermail/centos-devel/2009-July/004794.html > > I've updated 2 machines, and had no problems here. But some wider > testing would be good and we can get them into the main repos so more > people benefit.I just updated one machine; the process ended up with named not running. I did rpm -Uvh bind-utils-9.2.4-30.el4_8.4.i386.rpm bind-9.2.4-30.el4_8.4.i386.rpm bind-libs-9.2.4-30.el4_8.4.i386.rpm and got Jul 29 20:29:15 linode named: succeeded Jul 29 20:29:16 linode named[2873]: shutting down: flushing changes Jul 29 20:29:16 linode named[2873]: stopping command channel on 127.0.0.1#953 Jul 29 20:29:16 linode named[2873]: no longer listening on 127.0.0.1#53 Jul 29 20:29:16 linode named[2873]: no longer listening on 66.160.141.105#53 Jul 29 20:29:17 linode named[2873]: exiting Jul 29 20:29:18 linode named: failed After a restart it appeared to work... Jul 29 20:29:41 linode named[31609]: starting BIND 9.2.4 -u named Jul 29 20:29:41 linode named[31609]: using 4 CPUs Jul 29 20:29:41 linode named[31609]: loading configuration from '/etc/named.conf' etc... The daemon seems to be responding properly to requests after this manual start. -- rgds Stephen
Hi All,
I am using Caching DNS server with Bind 9
bind-utils-9.3.4-10.P1.el5_3.1
bind-9.3.4-10.P1.el5_3.1
bind-chroot-9.3.4-10.P1.el5_3.1
system-config-bind-4.0.3-2.el5.centos
bind-libs-9.3.4-10.P1.el5_3.1
I am getting
Error :
named[22851]: mem.c:1061: REQUIRE((((ctx) != ((void *)0)) && (((const
isc__magic_t *)(ctx))->magic == ((('M') << 24 | ('e')
<< 16 | ('m') << 8 |
('C')))))) failed named[22851]: exiting (due to assertion failure)
Is this related to above bug?
Thanks in advance
shprahi
On Wed, Jul 29, 2009 at 9:45 PM, Kenneth Porter <shiva at
sewingwitch.com>wrote:
> Slashdot carried this story yesterday on a BIND vulnerability:
>
> <
>
http://it.slashdot.org/story/09/07/29/0028231/New-DoS-Vulnerability-In-All-Versions-of-BIND-9
> >
>
> The upstream report:
>
> <https://www.isc.org/node/474>
>
> Red Hat's Bugzilla:
>
> <https://bugzilla.redhat.com/show_bug.cgi?id=514292>
>
> >From what I'm reading, if one has an Internet-facing master for a
zone,
> one
> is vulnerable, even if dynamic DNS isn't being used.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20090803/76c6eb8d/attachment-0003.html>