Commits

Anonymous committed d162f78

SECURITY UPDATE: CVE-2011-0414 IXFR/DDNS updates

* SECURITY UPDATE: denial of service via IXFR or DDNS update
- debian/patches/CVE-2011-0414.patch: Use correct lock in
lib/dns/rbtdb.c.
- CVE-2011-0414

Signed-off-by: LaMont Jones <lamont@debian.org>

committer: LaMont Jones <lamont@debian.org>

  • Participants
  • Parent commits 8cbe7ae
  • Tags v9.7.1.dfsg.P2-2ubuntu0.2

Comments (0)

Files changed (4)

File debian/changelog

+bind9 (1:9.7.1.dfsg.P2-2ubuntu0.2) maverick-security; urgency=low
+
+  * SECURITY UPDATE: denial of service via IXFR or DDNS update
+    - debian/patches/CVE-2011-0414.patch: Use correct lock in
+      lib/dns/rbtdb.c.
+    - CVE-2011-0414
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 23 Feb 2011 08:30:32 -0500
+
 bind9 (1:9.7.1.dfsg.P2-2ubuntu0.1) maverick-security; urgency=low
 
   * SECURITY UPDATE: denial of service via ncache entry and a rrsig for the

File debian/control

 Source: bind9
 Section: net
 Priority: optional
-Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
 XSBC-Original-Maintainer: LaMont Jones <lamont@debian.org>
 Uploaders: Bdale Garbee <bdale@gag.com>
 Build-Depends: libkrb5-dev, debhelper (>= 5), libssl-dev, libtool, bison, libdb-dev (>>4.6), libldap2-dev, libxml2-dev, libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], hardening-wrapper, libgeoip-dev (>= 1.4.6.dfsg-5)
  the BIND 9 lightweight resolver library.  It is essentially a stripped-
  down, caching-only name server that answers queries using the BIND 9
  lightweight resolver protocol rather than the DNS protocol.
-

File debian/patches/CVE-2011-0414.patch

+Description: fix denial of service via IXFR or DDNS update
+Origin: upstream, extracted from 9.7.3 tarball
+
+Index: bind9-9.7.1.dfsg.P2/lib/dns/rbtdb.c
+===================================================================
+--- bind9-9.7.1.dfsg.P2.orig/lib/dns/rbtdb.c	2011-02-23 08:30:13.000000000 -0500
++++ bind9-9.7.1.dfsg.P2/lib/dns/rbtdb.c	2011-02-23 08:30:24.000000000 -0500
+@@ -2116,7 +2116,7 @@
+ 	unsigned int locknum;
+ 	unsigned int refs;
+ 
+-	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
++	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+ 	for (locknum = 0; locknum < rbtdb->node_lock_count; locknum++) {
+ 		NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+ 			  isc_rwlocktype_write);
+@@ -2126,7 +2126,7 @@
+ 		NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+ 			    isc_rwlocktype_write);
+ 	}
+-	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
++	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+ 	if (again)
+ 		isc_task_send(task, &event);
+ 	else {

File debian/patches/series

+CVE-2011-0414.patch
 debian-changes-1:9.7.1.dfsg.P2-2
 CVE-2010-3613-3614.patch