BIND 9 DoS Update: CVE-2009-0696
BIND, the Berkley Internet Name Domain service, provides forward (authoritative) and recursive (non-authoritative) DNS lookups for the majority of the internet as we know it. A security vulnerability outlined here shows that a specially crafted packet can cause the DNS daemon to stop functioning. It is imperative that all “master” DNS servers get updated immediately. More general information on BIND can be found on their site here.
CVE Information: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0696
RHEL Bug Information: https://bugzilla.redhat.com/show_bug.cgi?id=514292
The NVD at NIST reports the following overview of this issue:
The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1, when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an ANY record in the prerequisite section of a crafted dynamic update message, as exploited in the wild in July 2009.
Updating BIND on RHEL/CentOS (4/5)
Updated packages are available to assure you are running the latest release.
Use this command to update bind on yum-based systems:
# yum –y update bind
Updating BIND on Debian / Ubuntu
# apt-get update
# apt-get upgrade
# /etc/init.d/bind9 restart