thr3ads.net - nsd users - [nsd-users] NSD 3.2.12 emergency release [Jul 2012]

If this information is useful, please help other people find it:
Share via:

Willem Toorop

2012-Jul-19 13:41 UTC

[nsd-users] NSD 3.2.12 emergency release

Greetings,

There is a emergency release for nsd: 3.2.12. It is available here:

www:  http://nlnetlabs.nl/downloads/nsd/nsd-3.2.12.tar.gz
sha1: dd8606a05525f6a493dfacb7ddfa7e1fa3c6a85b

All previous versions of NSD 3 (NSD 3.0.0-3.0.8, 3.1.0-3.1.1, and
3.2.0-3.2.11) are vulnerable to a denial of service attack from any host
on the internet. [ VU#624931 CVE-2012-2978 ]
And so is the NSD 4 development branch before revision 3613.

The 3.2.12 release is fixed and not vulnerable to this attack.
We strongly recommend to update NSD to version 3.2.12.

Best regards,
  Willem


NSD 3.2.12 RELEASE NOTES

BUG FIXES:
- Fix for VU#624931 CVE-2012-2978: NSD denial of service
  vulnerability from non-standard DNS packet from any host
  on the internet.
  http://www.nlnetlabs.nl/downloads/CVE-2012-2978.txt


== Description

It is possible to crash (SIGSEGV) a NSD child server process by sending
it a non-standard DNS packet from any host on the internet. A crashed
child process will automatically be restarted by the parent process, but
an attacker may keep the NSD server occupied restarting child processes
by sending it a stream of such packets effectively preventing the NSD
server to serve.

== Remote Exploit.

The problem packet causes NSD to dereference a null pointer. Most
operating systems map the null pointer's address such that accessing it
causes a segmentation fault, ruling out the possibility for remote exploit.

== Acknowledgements

The bug was discovered by Marek Vavru?a and Lubos Slovak
from CZ.NIC Labs

Paul Wouters

2012-Jul-19 14:30 UTC

head link

[nsd-users] RHEL/Fedora package builds for NSD 3.2.12 emergency release

On Thu, 19 Jul 2012, Willem Toorop wrote:
> There is a emergency release for nsd: 3.2.12. It is available here:
>
> www:  http://nlnetlabs.nl/downloads/nsd/nsd-3.2.12.tar.gz
> sha1: dd8606a05525f6a493dfacb7ddfa7e1fa3c6a85b
All Fedora / RHEL builds can be found at:

https://bugzilla.redhat.com/show_bug.cgi?id=821553

and should appear in the testing repository mirrors over the next few hours.
You can grab them beforehand via:

EPEL5: https://admin.fedoraproject.org/updates/nsd-3.2.12-1.el6
EPEL6: https://admin.fedoraproject.org/updates/nsd-3.2.12-1.el5

Note that the Fedora builds might take a little longer as these are
stuck in a large queue due to the Fedora 18 mass rebuild currently
running. You can see if the Fedora 16/17 builds are started/done at:

Fedora 17: http://koji.fedoraproject.org/koji/taskinfo?taskID=4264117
Fedora 16: http://koji.fedoraproject.org/koji/taskinfo?taskID=4263816

Please leave feedback/karma as that will speed up the migration of the
package from the testing to the stable repositories.

Paul

nsd users - Jul 2012 - NSD 3.2.12 emergency release

[nsd-users] NSD 3.2.12 emergency release

[nsd-users] RHEL/Fedora package builds for NSD 3.2.12 emergency release