-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, There is a emergency release for nsd: 3.2.13. It is available here: www: http://nlnetlabs.nl/downloads/nsd/nsd-3.2.13.tar.gz sha1: 2cb44f75e9686fd73c7ee9765857a36a8fe5bca9 NSD 3.2.11 and 3.2.12 are vulnerable to a denial of service attack if and only if you have enabled per zone stats (--enable-zone-stats, default off) [VU#517036 CVE-2012-2979 ]. The 3.2.13 release is fixed and not vulnerable to this attack. We strongly recommend to update NSD to version 3.2.13. Alternatively, you can apply a patch to 3.2.11 or 3.2.12: www: http://nlnetlabs.nl/downloads/nsd/nsd-3.2.13-vuln.patch sha1: aa845b1ea27090469ebc96a19d49e6afcd1b1969 Best regards, Matthijs BUG FIXES: - - Fix for nsd-patch segfault if zone has been removed from nsd.conf (thanks Ilya Bakulin). - - Bugfix #460: man page correction - identity. - - Bugfix #461: NSD child segfaults when asked for out-of-zone data with --enable-zone-stats. [VU#517036 CVE-2012-2979] == Summary When requesting non authoritative data, and you use the new, experimental per zone statistics feature introduced in NSD 3.2.11, NSD wants to log the query statistics to a zone reference that is not set. == Description It is possible to crash (SIGSEGV) a NSD child server process by sending it a query for non authoritative data. A crashed child process will automatically be restarted by the parent process, but an attacker may keep the NSD server occupied restarting child processes by sending it a stream of such packets effectively preventing the NSD server to serve. NSD 3.2.11 and NSD 3.2.12 are vulnerable to this attack, and only if you have enabled the experimental per zone statistics (--enable-zone-stats). This is by default disabled. == Remote Exploit. The problem packet causes NSD to dereference a null pointer. Most operating systems map the null pointer's address such that accessing it causes a segmentation fault, ruling out the possibility for remote exploit. == Acknowledgement This bug was discovered by Tom Hendrikx, the NSD package maintainer for Gentoo. Erwin Lansing filed a bug report (#461) for this on July 25th 2012. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQEkkQAAoJEA8yVCPsQCW5JiwH/1LzG6FcT4nIFvSdTHc1rMvf uYwxMDzh6vV+0/iCXn4g5OmMIn/n2xcsOSNTafKimTY5BK+aNO/1/85YfBRAV4ee Du5AdW5zDnHfxZhkUSxUXWm/503OIteKC48I70QHEuFp083DaFo44NOjv0loUkKw 2mrODK4ZpjUUomr3u0K8c6RJ+FwgVY3k9qoiCcRxEJSYvEdLMKzLY2ec7J+azc/u GT2d9NrXyKuonVJz0kvvH7m6752xmqTIk7eZk/6sEEK2YdD/DwbjuEJe9AGG9m/P j743GHo3t7JSWk+wYwIzqgwZjnphuNWOApQWJlbkfkcNdVXFKCUDTcetu6rx07I=gfl1 -----END PGP SIGNATURE-----
Paul Wouters
2012-Jul-27 12:22 UTC
[nsd-users] Fedora/EPEL and NSD 3.2.13 emergency release
On Fri, 27 Jul 2012, Matthijs Mekking wrote:> There is a emergency release for nsd: 3.2.13. It is available here: > > www: http://nlnetlabs.nl/downloads/nsd/nsd-3.2.13.tar.gz > sha1: 2cb44f75e9686fd73c7ee9765857a36a8fe5bca9 > > NSD 3.2.11 and 3.2.12 are vulnerable to a denial of service attack if > and only if you have enabled per zone stats (--enable-zone-stats, > default off) [VU#517036 CVE-2012-2979 ].Fedora and EPEL releases are not vulnerable. Builds will be made today of 3.2.13. You should however, upgrade to 3.2.12 if you haven't yet. Since the official feedback has not reached the treshhold yet, you will need to install these with "yum install nsd --enablerepos=updates-testing". If you have installed 3.2.12 and not yet left feedback, please see: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-6453/nsd-3.2.12-1.el6 https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-6419/nsd-3.2.12-1.el5 Paul