copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.2354 - [Win][UNIX/Linux][Debian] unbound: Denial of service - Remote/unauthenticated

Date: 11 December 2014
References: ESB-2014.2444  ESB-2014.2512  ESB-2015.2902  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.2354
                          unbound security update
                             11 December 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           unbound
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-8602  

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-3097

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running unbound check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3097-1                   security@debian.org
http://www.debian.org/security/                         Yves-Alexis Perez
December 10, 2014                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : unbound
CVE ID         : CVE-2014-8602
Debian Bug     : 772622

Florian Maury from ANSSI discovered that unbound, a validating,
recursive, and caching DNS resolver, was prone to a denial of service
vulnerability. An attacker crafting a malicious zone and able to emit
(or make emit) queries to the server can trick the resolver into
following an endless series of delegations, leading to ressource
exhaustion and huge network usage.

For the stable distribution (wheezy), this problem has been fixed in
version 1.4.17-3+deb7u2.

For the upcoming stable distribution (jessie), this problem has been
fixed in version 1.4.22-3.

For the unstable distribution (sid), this problem has been fixed in
version 1.4.22-3.

We recommend that you upgrade your unbound packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCgAGBQJUiLynAAoJEG3bU/KmdcCluqQH/1nE0LBSQXkUd3psC/TkbE7W
WhvnSRT/JYCapY29xR4zZvgVUzv4ey6/xNypB9V1jgrnR+7AURVJCeDk4JZb69dU
av7b2rRQt5hyUjs3OqYhY9Z5kUWTjYjsS8APlBCOheBY9yLSYpXSYvW+F60oS9c+
opWvTVvCdDkeI7abrqsQu/sxjdBzgJscfjdNZhdtAeKYRITpPEeeTa/NX8evKDzw
9LwfC5qDY1GN/+CHLnIgkZFgZ9XTMOLEv9DjzC3Cpfdqs5JphhC2VRn7upZSAu90
Wws7Mzp76ioAyRiZh5+nxCsExqWDsVZEAVyBGkhYnZaEm5fehbE5aVsacvmierA=
=wkqI
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVIji+BLndAQH1ShLAQKemBAAikQkhQBBguDe73VIany4Jej+pb03M96v
2ucjrUQTbBzc2Py5sT50tvLXpfvChFI17dLPcRihxGn/OlxMf4/ZpWZoFkaJDtZ7
xOxwr5epeHQV6JiXwUbyk3VjJfuuLeoxEirqTdQ1nz3cbw2/8s0rt1J7wDG6EfYO
MoLjtTtvlwdy42iNOUCCJu68wF1CPED9yMFczxGpJXw62zFZCbGhZYa9PCbxR7pH
HS2SqS5wBUhNVSZ9gtxGTeyFwL5sb+l4Firwh4phDpgGYztqdl9wr9n8OtlgtFPq
THVI2e3c2bqDN7aDoLXpSSf4cy8pP6aiBhtVai1Y5I6MiuYQ4sA4cCMFJfCg5iAf
8hhXiq4B2lTMnSvTKOpupEdnVVs0XVJ2RQEAk/vGU3mNtEpEi1zza6eAt3T1gKe0
HLmhcY5BfrwIKSLt0PkNV8scKWjUTQ+dfxTLu7I6ZJkEt6oYXr95CyhCHYGHi5qe
kiqcBWwxomoJRd7irnJWRTUNIp8HKwXrHAvN5zKce3u8vdsL9e19SDXCO5m301vb
+maVjZV3fBnOoHCcy4KKiKso/CIqcweZrw3BAtEatAOJDse+FSAaWahpQRhNgiEJ
elnCyQb7romkDsG4EWnUMEKvgxkt8rJ/NNSt45wp7b0WGnSNcQX9DM71InIWc8x8
7awAydO/M4Q=
=zEQ1
-----END PGP SIGNATURE-----