DNS/BIND/bugについて、ここに記述してください。
http://www.isc.org/software/bind/security/matrix /security_matrix ftp://ftp.isc.org/isc/bind9/
Kaminsky bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
- BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1;
< --- 9.5.0-P1 released --- < < 2375. [security] Fully randomize UDP query ports to improve < forgery resilience. [RT #17949] <
その後: まともな対策はされなかったらしい。 (問題点を理解していなかったのか。)
3 CVE-2009-4022 2009-11-25 2011-07-18
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438. こう書いているということは、キャッシュ毒盛攻撃はport randomizationで十分対応できていると考えてもよさそうだ。 -- ToshinoriMaeno 2011-08-14 14:11:09
https://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/
| << < 2024 / 11 > >> | ||||||
|---|---|---|---|---|---|---|
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | |
http://jprs.jp/tech/security/2011-07-05-bind9-vuln-remote-packet-auth-and-recurse.html
- (緊急)BIND 9.xの脆弱性を利用したサービス不能(DoS)攻撃について
- - キャッシュ/権威DNSサーバーの双方が対象、バージョンアップを強く推奨 -
http://jprs.jp/tech/security/2011-07-05-bind98-vuln-rpz-dname.html
- BIND 9.8.xのResponse Policy Zones(RPZ)機能の実装上のバグによる
- namedのサービス停止について - バージョンアップを強く推奨 -
5月末にもなにかあったが。
https://lists.isc.org/pipermail/bind-announce/2011-March/000685.html
- BIND 9.6-ESV-R4 is a maintenance release for BIND 9.6-ESV. It is critical for those using DNSSEC validation, and strongly recommended otherwise.