lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 6 Mar 2003 11:43:23 -0600
From: Scott Wunsch <bugtraq@...cking.wunsch.org>
To: John <bugtraq@...msday.com>
Subject: Re: BIND 9.2.2 Vulnerabilities?


On Wed, 05-Mar-2003 at 15:46:41 -0600, John wrote:

> That was really what I was trying to get at.  If there are vulnerabilities 
> I don't think that they are being discussed in a manner that brings this 
> to the attention of those of us who are running 9.2.1.  It seems that the 
> announcement was rather low-key and I stumbled across this information on 
> the website almost by mistake.

I'm rather puzzled by it too :-).  Some days before before the 9.2.2
release, my 9.2.1 nameserver was getting repeatedly killed (with an
assertion failure) by a stream of DNS queries over TCP from one of our
users.  Every time I restarted it, it would die again within a few seconds.
We "solved" the problem by blocking traffic from the customer who was
generating all the TCP queries.

I reported this to ISC, and was informed that this was fixed in 9.2.2rc1
(but my request for more details was ignored).

So, if nothing else, I consider 9.2.2 to be a fix for a denial of service
problem.

-- 
Take care,
Scott \\'unsch

... Write all complaints in this box (in triplicate): []  Thank You!


Powered by blists - more mailing lists