Re: bind9 CVE-2017-3137
Hi
On Thu, Apr 20, 2017 at 03:42:13PM +0300, Adrian Minta wrote:
> Hi,
> one of my servers crashed twice in the last 24 hours:
>
> Apr 20 14:51:22 SRV named[37412]: resolver.c:4350: INSIST(fctx->type ==
> ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type == ((dns_rda
> tatype_t)dns_rdatatype_rrsig) || fctx->type ==
> ((dns_rdatatype_t)dns_rdatatype_sig)) failed, back trace
> Apr 20 14:51:22 SRV named[37412]: #0 0x7f9bde355a00 in ??
> Apr 20 14:51:22 SRV named[37412]: #1 0x7f9bdc5318ea in ??
> Apr 20 14:51:22 SRV named[37412]: #2 0x7f9bddc1714e in ??
> Apr 20 14:51:22 SRV named[37412]: #3 0x7f9bdc553d5b in ??
> Apr 20 14:51:22 SRV named[37412]: #4 0x7f9bdbf04064 in ??
> Apr 20 14:51:22 SRV named[37412]: #5 0x7f9bdb8d262d in ??
> Apr 20 14:51:22 SRV named[37412]: exiting (due to assertion failure)
>
> I suspect CVE-2017-3137 for this:
> https://security-tracker.debian.org/tracker/CVE-2017-3137
>
> # dpkg -l | grep bind9
> ii bind9 1:9.9.5.dfsg-9+deb8u10 amd64 Internet Domain
> Name Server
> ii bind9-host 1:9.9.5.dfsg-9+deb8u10 amd64 Version of
> 'host' bundled with BIND 9.X
> ii bind9utils 1:9.9.5.dfsg-9+deb8u10 amd64 Utilities for
> BIND
> ii libbind9-90 1:9.9.5.dfsg-9+deb8u10 amd64 BIND9 Shared
> Library used by BIND
>
>
> Any info or workaround for this vulnerability ?
If possible test the test packages at
https://people.debian.org/~carnil/tmp/bind9/
Regards,
Salvatore
Reply to: