Executive Summary

Summary
Title bind9 security update
Informations
Name DSA-2208 First vendor Publication 2011-03-30
Vendor Debian Last vendor Modification 2011-03-30
Severity (Vendor) N/A Revision 2

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Cvss Base Score 7.1 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

The BIND, a DNS server, contains a defect related to the processing of new DNSSEC DS records by the caching resolver, which may lead to name resolution failures in the delegated zone. If DNSSEC validation is enabled, this issue can make domains ending in .COM unavailable when the DS record for .COM is added to the DNS root zone on March 31st, 2011. An unpatched server which is affected by this issue can be restarted, thus re-enabling resolution of .COM domains.

Configurations not using DNSSEC validations are not affected by this usse.

For the oldstable distribution (lenny), this problem has been fixed in version 1:9.6.ESV.R4+dfsg-0+lenny1.

We recommend that you upgrade your bind9 packages.

Original Source

Url : http://www.debian.org/security/2011/dsa-2208

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-399 Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:12628
 
Oval ID: oval:org.mitre.oval:def:12628
Title: DSA-2208-2 bind9 -- denial of service
Description: The BIND, a DNS server, contains a defect related to the processing of new DNSSEC DS records by the caching resolver, which may lead to name resolution failures in the delegated zone. If DNSSEC validation is enabled, this issue can make domains ending in .COM unavailable when the DS record for .COM is added to the DNS root zone on March 31st, 2011. An unpatched server which is affected by this issue can be restarted, thus re-enabling resolution of .COM domains. Configurations not using DNSSEC validations are not affected by this usse.
Family: unix Class: patch
Reference(s): DSA-2208-2
CVE-2011-0414
Version: 5
Platform(s): Debian GNU/Linux 5.0
Product(s): bind9
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12924
 
Oval ID: oval:org.mitre.oval:def:12924
Title: DSA-2208-1 bind9 -- denial of service
Description: It was discovered that BIND, a DNS server, contains a race condition when processing zones updates in an authoritative server, either through dynamic DNS updates or incremental zone transfer. Such an update while processing a query could result in deadlock and denial of service. In addition, this security update addresses a defect related to the processing of new DNSSEC DS records by the caching resolver, which may lead to name resolution failures in the delegated zone. If DNSSEC validation is enabled, this issue can make domains ending in .COM unavailable when the DS record for .COM is added to the DNS root zone on March 31st, 2011. An unpatched server which is affected by this issue can be restarted, thus re-enabling resolution of .COM domains. This workaround applies to the version in oldstable, too. Configurations not using DNSSEC validations are not affected by this second issue.
Family: unix Class: patch
Reference(s): DSA-2208-1
CVE-2011-0414
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): bind9
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13186
 
Oval ID: oval:org.mitre.oval:def:13186
Title: USN-1070-1 -- bind9 vulnerability
Description: It was discovered that Bind incorrectly handled IXFR transfers and dynamic updates while under heavy load when used as an authoritative server. A remote attacker could use this flaw to cause Bind to stop responding, resulting in a denial of service.
Family: unix Class: patch
Reference(s): USN-1070-1
CVE-2011-0414
Version: 5
Platform(s): Ubuntu 10.10
Product(s): bind9
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 9

OpenVAS Exploits

Date Description
2012-08-10 Name : Gentoo Security Advisory GLSA 201206-01 (bind)
File : nvt/glsa_201206_01.nasl
2011-05-12 Name : Debian Security Advisory DSA 2208-1 (bind9)
File : nvt/deb_2208_1.nasl
2011-05-12 Name : Debian Security Advisory DSA 2208-2 (bind9)
File : nvt/deb_2208_2.nasl
2011-02-28 Name : Ubuntu Update for bind9 vulnerability USN-1070-1
File : nvt/gb_ubuntu_USN_1070_1.nasl
2011-02-23 Name : ISC BIND 9 IXFR Transfer/DDNS Update Remote Denial of Service Vulnerability
File : nvt/gb_bind_46491.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
72539 ISC BIND Authoritative Server Crafted IXFR / DDNS Query Update Deadlock DoS

Nessus® Vulnerability Scanner

Date Description
2017-04-21 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2017-0066.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : suse_11_3_bind-110224.nasl - Type : ACT_GATHER_INFO
2012-06-21 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201206-01.nasl - Type : ACT_GATHER_INFO
2011-03-31 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2208.nasl - Type : ACT_GATHER_INFO
2011-02-24 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1070-1.nasl - Type : ACT_GATHER_INFO
2011-02-23 Name : The remote name server is affected by a denial of service vulnerability.
File : bind9_973.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:30:03
  • Multiple Updates