FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  373141
Date:      2014-11-23
Time:      10:35:06Z
Committer: madpilot

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
ef3306fc-8f9b-11db-ab33-000e0c2e438abind9 -- Denial of Service in named(8)

Problem Description

For a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named(8) daemon. Also for a recursive DNS server, an assertion failure can occur when processing a query whose reply will contain more than one SIG(covered) RRset.

For an authoritative DNS server serving a RFC 2535 DNSSEC zone which is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g. a zone apex), named(8) will trigger an assertion failure when it tries to construct the response.

Impact

An attacker who can perform recursive lookups on a DNS server and is able to send a sufficiently large number of recursive queries, or is able to get the DNS server to return more than one SIG(covered) RRsets can stop the functionality of the DNS service.

An attacker querying an authoritative DNS server serving a RFC 2535 DNSSEC zone may be able to crash the DNS server.

Workaround

A possible workaround is to only allow trusted clients to perform recursive queries.


Discovery 2006-09-06
Entry 2006-12-19
bind9
gt 9.0 lt 9.3.2.1

CVE-2006-4095
CVE-2006-4096
SA-06:20.bind
83725c91-7c7e-11de-9672-00e0815b8da8BIND -- Dynamic update message remote DoS

Problem Description:

When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit.

To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server.

Impact:

An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation.

Workaround:

No generally applicable workaround is available, but some firewalls may be able to prevent nsupdate DNS packets from reaching the nameserver.

NOTE WELL: Merely configuring named(8) to ignore dynamic updates is NOT sufficient to protect it from this vulnerability.


Discovery 2009-07-28
Entry 2009-08-01
Modified 2009-08-04
bind9
lt 9.3.6.1.1

bind9-sdb-postgresql
bind9-sdb-ldap
lt 9.4.3.3

CVE-2009-0696
SA-09:12.bind
http://www.kb.cert.org/vuls/id/725188
https://www.isc.org/node/474
83725c91-7c7e-11de-9672-00e0815b8da8BIND -- Dynamic update message remote DoS

Problem Description:

When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit.

To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server.

Impact:

An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation.

Workaround:

No generally applicable workaround is available, but some firewalls may be able to prevent nsupdate DNS packets from reaching the nameserver.

NOTE WELL: Merely configuring named(8) to ignore dynamic updates is NOT sufficient to protect it from this vulnerability.


Discovery 2009-07-28
Entry 2009-08-01
Modified 2009-08-04
bind9
lt 9.3.6.1.1

bind9-sdb-postgresql
bind9-sdb-ldap
lt 9.4.3.3

CVE-2009-0696
SA-09:12.bind
http://www.kb.cert.org/vuls/id/725188
https://www.isc.org/node/474
30e4ed7b-1ca6-11da-bc01-000e0c2e438abind9 -- denial of service

Problem description

A DNSSEC-related validator function in BIND 9.3.0 contains an inappropriate internal consistency test. When this test is triggered, named(8) will exit.

Impact

On systems with DNSSEC enabled, a remote attacker may be able to inject a specially crafted packet that will cause the internal consistency test to trigger, and named(8) to terminate. As a result, the name server will no longer be available to service requests.

Workaround

DNSSEC is not enabled by default, and the "dnssec-enable" directive is not normally present. If DNSSEC has been enabled, disable it by changing the "dnssec-enable" directive to "dnssec-enable no;" in the named.conf(5) configuration file.


Discovery 2005-01-25
Entry 2005-09-03
bind9
eq 9.3.0

938617
CVE-2005-0034
http://www.uniras.gov.uk/niscc/docs/al-20050125-00060.html?lang=en
http://www.isc.org/sw/bind/bind9.3.php#security
ef3306fc-8f9b-11db-ab33-000e0c2e438abind9 -- Denial of Service in named(8)

Problem Description

For a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named(8) daemon. Also for a recursive DNS server, an assertion failure can occur when processing a query whose reply will contain more than one SIG(covered) RRset.

For an authoritative DNS server serving a RFC 2535 DNSSEC zone which is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g. a zone apex), named(8) will trigger an assertion failure when it tries to construct the response.

Impact

An attacker who can perform recursive lookups on a DNS server and is able to send a sufficiently large number of recursive queries, or is able to get the DNS server to return more than one SIG(covered) RRsets can stop the functionality of the DNS service.

An attacker querying an authoritative DNS server serving a RFC 2535 DNSSEC zone may be able to crash the DNS server.

Workaround

A possible workaround is to only allow trusted clients to perform recursive queries.


Discovery 2006-09-06
Entry 2006-12-19
bind9
gt 9.0 lt 9.3.2.1

CVE-2006-4095
CVE-2006-4096
SA-06:20.bind
30e4ed7b-1ca6-11da-bc01-000e0c2e438abind9 -- denial of service

Problem description

A DNSSEC-related validator function in BIND 9.3.0 contains an inappropriate internal consistency test. When this test is triggered, named(8) will exit.

Impact

On systems with DNSSEC enabled, a remote attacker may be able to inject a specially crafted packet that will cause the internal consistency test to trigger, and named(8) to terminate. As a result, the name server will no longer be available to service requests.

Workaround

DNSSEC is not enabled by default, and the "dnssec-enable" directive is not normally present. If DNSSEC has been enabled, disable it by changing the "dnssec-enable" directive to "dnssec-enable no;" in the named.conf(5) configuration file.


Discovery 2005-01-25
Entry 2005-09-03
bind9
eq 9.3.0

938617
CVE-2005-0034
http://www.uniras.gov.uk/niscc/docs/al-20050125-00060.html?lang=en
http://www.isc.org/sw/bind/bind9.3.php#security