[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: testing bind9 for Jessie LTS



On Sat, May 25, 2019 at 01:04:18PM +0200, Thorsten Alteholz wrote:
> Hi everybody,
> 
> due to the awful lot of changes, I uploaded a preliminary version
> 1:9.9.5.dfsg-9+deb8u18 of bind9 to:
> 
> https://people.debian.org/~alteholz/packages/jessie-lts/bind9/
> 
> It contains a fix for CVE-2018-5743. Please give it a try and tell me about
> any problems you met.
> 
Hi Thorsten,

I took a look at your bind9 package.  Here is my assessment:

- I was not able to reproduce the behavior described in the CVE (file
  descriptor exhaustion) in the package currently in jessie (version
  9.9.5.dfsg-9+deb8u17)
- When I set the tcp-clients parameter in that version, named did appear
  to refuse additional connections producing a log message like this:
  named[3303]: client ::1#46336: no more TCP clients: quota reached
- After updating to the new version, it seems that setting the
  tcp-clients parameter results in more than one connection being
  blocked, regardless of the value of tcp-clients:
  named[5430]: client @0x7f098800bb60: TCP client quota reached: quota reached

For example, with a setting of "tcp-clients 5;" in the old version, I
can execute 'telnet localhost 53' in 5 terminal windows and on executing
that comment in a sixth terminal window then "quota reached" message is
logged.  However, with your patched version it starts emitting the
"quota reached" log message starting with the second concurrent
connection attempt.

Perhaps there might be another way to test this, but it seems like there
is a defect either in the upstream patch or in the backport.

Regards,

-Roberto

-- 
Roberto C. Sánchez


Reply to: