FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-18 11:12:36 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
30e4ed7b-1ca6-11da-bc01-000e0c2e438a	bind9 -- denial of service Problem description A DNSSEC-related validator function in BIND 9.3.0 contains an inappropriate internal consistency test. When this test is triggered, named(8) will exit. Impact On systems with DNSSEC enabled, a remote attacker may be able to inject a specially crafted packet that will cause the internal consistency test to trigger, and named(8) to terminate. As a result, the name server will no longer be available to service requests. Workaround DNSSEC is not enabled by default, and the "dnssec-enable" directive is not normally present. If DNSSEC has been enabled, disable it by changing the "dnssec-enable" directive to "dnssec-enable no;" in the named.conf(5) configuration file. Discovery 2005-01-25 Entry 2005-09-03 bind9 eq 9.3.0 FreeBSD ge 5.3 lt 5.3_16 938617 CVE-2005-0034 http://www.uniras.gov.uk/niscc/docs/al-20050125-00060.html?lang=en http://www.isc.org/sw/bind/bind9.3.php#security
83725c91-7c7e-11de-9672-00e0815b8da8	BIND -- Dynamic update message remote DoS Problem Description: When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit. To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server. Impact: An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation. Workaround: No generally applicable workaround is available, but some firewalls may be able to prevent nsupdate DNS packets from reaching the nameserver. NOTE WELL: Merely configuring named(8) to ignore dynamic updates is NOT sufficient to protect it from this vulnerability. Discovery 2009-07-28 Entry 2009-08-01 Modified 2009-08-04 bind9 < 9.3.6.1.1 bind9-sdb-postgresql bind9-sdb-ldap < 9.4.3.3 FreeBSD ge 6.3 lt 6.3_12 ge 6.4 lt 6.4_6 ge 7.1 lt 7.1_7 ge 7.2 lt 7.2_3 CVE-2009-0696 SA-09:12.bind http://www.kb.cert.org/vuls/id/725188 https://www.isc.org/node/474
ef3306fc-8f9b-11db-ab33-000e0c2e438a	bind9 -- Denial of Service in named(8) Problem Description For a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named(8) daemon. Also for a recursive DNS server, an assertion failure can occur when processing a query whose reply will contain more than one SIG(covered) RRset. For an authoritative DNS server serving a RFC 2535 DNSSEC zone which is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g. a zone apex), named(8) will trigger an assertion failure when it tries to construct the response. Impact An attacker who can perform recursive lookups on a DNS server and is able to send a sufficiently large number of recursive queries, or is able to get the DNS server to return more than one SIG(covered) RRsets can stop the functionality of the DNS service. An attacker querying an authoritative DNS server serving a RFC 2535 DNSSEC zone may be able to crash the DNS server. Workaround A possible workaround is to only allow trusted clients to perform recursive queries. Discovery 2006-09-06 Entry 2006-12-19 Modified 2016-08-09 FreeBSD ge 6.1 lt 6.1_6 ge 6.0 lt 6.0_11 ge 5.5 lt 5.5_4 ge 5.4 lt 5.4_18 ge 5.0 lt 5.3_33 bind9 ge 9.0 lt 9.3.2.1 CVE-2006-4095 CVE-2006-4096 SA-06:20.bind

VuXML ID

Description

30e4ed7b-1ca6-11da-bc01-000e0c2e438a

bind9 -- denial of service

Problem description

A DNSSEC-related validator function in BIND 9.3.0 contains an inappropriate internal consistency test. When this test is triggered, named(8) will exit.

Impact

On systems with DNSSEC enabled, a remote attacker may be able to inject a specially crafted packet that will cause the internal consistency test to trigger, and named(8) to terminate. As a result, the name server will no longer be available to service requests.

Workaround

DNSSEC is not enabled by default, and the "dnssec-enable" directive is not normally present. If DNSSEC has been enabled, disable it by changing the "dnssec-enable" directive to "dnssec-enable no;" in the named.conf(5) configuration file.

Discovery 2005-01-25
Entry 2005-09-03
bind9

eq 9.3.0

FreeBSD

ge 5.3 lt 5.3_16

938617
CVE-2005-0034
http://www.uniras.gov.uk/niscc/docs/al-20050125-00060.html?lang=en
http://www.isc.org/sw/bind/bind9.3.php#security

83725c91-7c7e-11de-9672-00e0815b8da8

BIND -- Dynamic update message remote DoS

Problem Description:

When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit.

To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server.

Impact:

An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation.

Workaround:

No generally applicable workaround is available, but some firewalls may be able to prevent nsupdate DNS packets from reaching the nameserver.

NOTE WELL: Merely configuring named(8) to ignore dynamic updates is NOT sufficient to protect it from this vulnerability.

Discovery 2009-07-28
Entry 2009-08-01
Modified 2009-08-04
bind9

< 9.3.6.1.1

bind9-sdb-postgresql
bind9-sdb-ldap

< 9.4.3.3

FreeBSD

ge 6.3 lt 6.3_12

ge 6.4 lt 6.4_6

ge 7.1 lt 7.1_7

ge 7.2 lt 7.2_3

CVE-2009-0696
SA-09:12.bind
http://www.kb.cert.org/vuls/id/725188
https://www.isc.org/node/474

ef3306fc-8f9b-11db-ab33-000e0c2e438a

bind9 -- Denial of Service in named(8)

Problem Description

For a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named(8) daemon. Also for a recursive DNS server, an assertion failure can occur when processing a query whose reply will contain more than one SIG(covered) RRset.

For an authoritative DNS server serving a RFC 2535 DNSSEC zone which is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g. a zone apex), named(8) will trigger an assertion failure when it tries to construct the response.

Impact

An attacker who can perform recursive lookups on a DNS server and is able to send a sufficiently large number of recursive queries, or is able to get the DNS server to return more than one SIG(covered) RRsets can stop the functionality of the DNS service.

An attacker querying an authoritative DNS server serving a RFC 2535 DNSSEC zone may be able to crash the DNS server.

Workaround

A possible workaround is to only allow trusted clients to perform recursive queries.

Discovery 2006-09-06
Entry 2006-12-19
Modified 2016-08-09
FreeBSD

ge 6.1 lt 6.1_6

ge 6.0 lt 6.0_11

ge 5.5 lt 5.5_4

ge 5.4 lt 5.4_18

ge 5.0 lt 5.3_33

bind9

ge 9.0 lt 9.3.2.1

CVE-2006-4095
CVE-2006-4096
SA-06:20.bind