Re: testing bind9 for Jessie LTS
On Sat, May 25, 2019 at 01:04:18PM +0200, Thorsten Alteholz wrote:
> Hi everybody,
>
> due to the awful lot of changes, I uploaded a preliminary version
> 1:9.9.5.dfsg-9+deb8u18 of bind9 to:
>
> https://people.debian.org/~alteholz/packages/jessie-lts/bind9/
>
> It contains a fix for CVE-2018-5743. Please give it a try and tell me about
> any problems you met.
>
Hi Thorsten,
I took a look at your bind9 package. Here is my assessment:
- I was not able to reproduce the behavior described in the CVE (file
descriptor exhaustion) in the package currently in jessie (version
9.9.5.dfsg-9+deb8u17)
- When I set the tcp-clients parameter in that version, named did appear
to refuse additional connections producing a log message like this:
named[3303]: client ::1#46336: no more TCP clients: quota reached
- After updating to the new version, it seems that setting the
tcp-clients parameter results in more than one connection being
blocked, regardless of the value of tcp-clients:
named[5430]: client @0x7f098800bb60: TCP client quota reached: quota reached
For example, with a setting of "tcp-clients 5;" in the old version, I
can execute 'telnet localhost 53' in 5 terminal windows and on executing
that comment in a sixth terminal window then "quota reached" message is
logged. However, with your patched version it starts emitting the
"quota reached" log message starting with the second concurrent
connection attempt.
Perhaps there might be another way to test this, but it seems like there
is a defect either in the upstream patch or in the backport.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: