Feeds

back to article BIND 9 patched against remote crash vuln

Time to get patching, sys admins: ISC (the Internet Systems Consortium) has issued a fix for a BIND 9 denial of service vulnerability. The defect and patch, published last week, “allows an attacker to crash a BIND 9 recursive resolver with a RUNTIME_CHECK error in resolver.c”, the ISC says in its announcement. CVE-2013-3919 …

COMMENTS

This topic is closed for new posts.

Lack of detail in the announcement

I saw the announcement last week and still don't know if there are other ways to trigger this.

e.g. most mail servers do a lookup on the connecting IP to get the hostname from RDNS and sometimes the envelope and header to/from/cc/etc lines to do canonicalisation.

It is unclear to me if it is possible to use that to trigger the crash or if it needs something more from the query.

If it *is* possible to crash it via mail servers (or other services that do DNS lookups) then the potential exposure just skyrocketed.

0
0
Bronze badge

Re: Lack of detail in the announcement

Just patch. The people who spend time working out new ways to interfere with your computer aren't the people who tell you about it and how to prevent it.

Ian: thanks for advertising to the world what software version you're running, but you may regret that. The office I'm in just moved off Adobe Reader 8, unsupported and unpatched for years. I had to bite my tongue, metaphorically, when the topic of updating came up, because our pants were well and truly down but it would be irresponsible to tell the outside world that. And futile to raise it internally.

0
0
Bronze badge
Linux

Looks at the servers running Debian Wheezy...

9.8.4 and supported for another couple of years at least.

Always let someone else test the new stuff.

0
0
This topic is closed for new posts.