FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-12-18 05:51:40 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
ef3306fc-8f9b-11db-ab33-000e0c2e438a	bind9 -- Denial of Service in named(8) Problem Description For a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named(8) daemon. Also for a recursive DNS server, an assertion failure can occur when processing a query whose reply will contain more than one SIG(covered) RRset. For an authoritative DNS server serving a RFC 2535 DNSSEC zone which is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g. a zone apex), named(8) will trigger an assertion failure when it tries to construct the response. Impact An attacker who can perform recursive lookups on a DNS server and is able to send a sufficiently large number of recursive queries, or is able to get the DNS server to return more than one SIG(covered) RRsets can stop the functionality of the DNS service. An attacker querying an authoritative DNS server serving a RFC 2535 DNSSEC zone may be able to crash the DNS server. Workaround A possible workaround is to only allow trusted clients to perform recursive queries. Discovery 2006-09-06 Entry 2006-12-19 Modified 2016-08-09 FreeBSD >= 6.1 lt 6.1_6 >= 6.0 lt 6.0_11 >= 5.5 lt 5.5_4 >= 5.4 lt 5.4_18 >= 5.0 lt 5.3_33 bind9 >= 9.0 lt 9.3.2.1 CVE-2006-4095 CVE-2006-4096 SA-06:20.bind
83725c91-7c7e-11de-9672-00e0815b8da8	BIND -- Dynamic update message remote DoS Problem Description: When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit. To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server. Impact: An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation. Workaround: No generally applicable workaround is available, but some firewalls may be able to prevent nsupdate DNS packets from reaching the nameserver. NOTE WELL: Merely configuring named(8) to ignore dynamic updates is NOT sufficient to protect it from this vulnerability. Discovery 2009-07-28 Entry 2009-08-01 Modified 2009-08-04 bind9 < 9.3.6.1.1 bind9-sdb-postgresql bind9-sdb-ldap < 9.4.3.3 FreeBSD >= 6.3 lt 6.3_12 >= 6.4 lt 6.4_6 >= 7.1 lt 7.1_7 >= 7.2 lt 7.2_3 CVE-2009-0696 SA-09:12.bind http://www.kb.cert.org/vuls/id/725188 https://www.isc.org/node/474

VuXML ID

Description

ef3306fc-8f9b-11db-ab33-000e0c2e438a

bind9 -- Denial of Service in named(8)

Problem Description

For a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named(8) daemon. Also for a recursive DNS server, an assertion failure can occur when processing a query whose reply will contain more than one SIG(covered) RRset.

For an authoritative DNS server serving a RFC 2535 DNSSEC zone which is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g. a zone apex), named(8) will trigger an assertion failure when it tries to construct the response.

Impact

An attacker who can perform recursive lookups on a DNS server and is able to send a sufficiently large number of recursive queries, or is able to get the DNS server to return more than one SIG(covered) RRsets can stop the functionality of the DNS service.

An attacker querying an authoritative DNS server serving a RFC 2535 DNSSEC zone may be able to crash the DNS server.

Workaround

A possible workaround is to only allow trusted clients to perform recursive queries.

Discovery 2006-09-06
Entry 2006-12-19
Modified 2016-08-09
FreeBSD

>= 6.1 lt 6.1_6

>= 6.0 lt 6.0_11

>= 5.5 lt 5.5_4

>= 5.4 lt 5.4_18

>= 5.0 lt 5.3_33

bind9

>= 9.0 lt 9.3.2.1

CVE-2006-4095
CVE-2006-4096
SA-06:20.bind

83725c91-7c7e-11de-9672-00e0815b8da8

BIND -- Dynamic update message remote DoS

Problem Description:

When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit.

To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server.

Impact:

An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation.

Workaround:

No generally applicable workaround is available, but some firewalls may be able to prevent nsupdate DNS packets from reaching the nameserver.

NOTE WELL: Merely configuring named(8) to ignore dynamic updates is NOT sufficient to protect it from this vulnerability.

Discovery 2009-07-28
Entry 2009-08-01
Modified 2009-08-04
bind9

< 9.3.6.1.1

bind9-sdb-postgresql
bind9-sdb-ldap

< 9.4.3.3

FreeBSD

>= 6.3 lt 6.3_12

>= 6.4 lt 6.4_6

>= 7.1 lt 7.1_7

>= 7.2 lt 7.2_3

CVE-2009-0696
SA-09:12.bind
http://www.kb.cert.org/vuls/id/725188
https://www.isc.org/node/474