Date: Thu, 18 Feb 2021 20:09:47 -0900 From: ISC Security Officer <security-officer@....org> To: oss-security@...ts.openwall.com Cc: "security-officer@....org" <security-officer@....org> Subject: BIND Operational Notification: Enabling the new BIND option "stale-answer-client-timeout" can result in unexpected server termination To the packagers and redistributors of BIND -- Regrettably, a problem has been discovered in two of the three public release versions of BIND we issued yesterday (17 February). A change to the serve-stale feature in BIND 9.16.12 and BIND 9.17.10 can cause the server to exit unexpectedly when that feature is in use. Below is a message we shared with subscribers to our bind-announce public list, and I reproduce it here in case any of you did not see it there. To most users we are recommending the use of one of the workarounds listed in the Workarounds section of the accompanying Operational Notification document. As packagers and redistributors of BIND, however, you are generally not in a position to choose your users' config options. We have a couple of recommendations: 1) BIND 9.17.10 is an experiment development release and probably not widely used for building packages. But if you are packaging and/or redistributing BIND 9.16.x and have not yet issued updated packages based on 9.16.12 you might wish to hold off.. HOWEVER, you will have also seen that yesterday we disclosed a vulnerability in that version (CVE-2020-8625.) You might prefer to issue a package based on 9.16.11, since the serve-stale bug is not yet present in that version, but with the patch diff found in https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch applied to correct the CVE-2020-8625 vulnerability. 2) If you already have packages based on 9.16.12, we expect to have a patch ready well before the next maintenance release. A candidate patch is under review now and can be delivered after review and quality assurance testing. If you wish to receive updates on the progress of this patch, please e-mail your request to security-officer@....org We're sorry for the mess this creates. Michael McNally (for ISC Security Officer) ----- To our users -- Yesterday we issued new release versions of BIND (9.11.28, 9.16.12, and 9.17.10, plus versions 9.11.28-S1 and 9.16.12-S1 of BIND Supported Preview Edition for eligible support customers.) Unfortunately an issue affecting an extension to the serve-stale functionality in the 9.16.12, 9.17.10, and 9.16.12-S1 releases was not discovered until after the new versions had been published. The following Operational Notification explains the issue. ONLY operators who are using serve-stale with one of the three BIND versions listed above are at any risk from the defect, and for those customers a choice of several effective configuration workarounds can be found in the "Workarounds" section of the notification. One of the workaround choices disables serve-stale; another reverts the feature to its previous behavior (i.e.: the same way it worked in releases containing the serve-stale feature prior to the ones just issued.) We regret that our error requires operators using serve-stale with an affected version of BIND to add the workarounds to their configuration in order to avoid hitting the defect, but because the workarounds are effective we are not at this time planning to issue emergency replacement versions of BIND. The flaw in the revised feature will be fixed in the March 2021 maintenance releases, expected on 17 March. That said, we expect that we will have a patch diff tested and available sooner than that for operators who for whatever reason prefer not to use any of the workarounds but still require the use of serve-stale. If you require a patch diff, please request one by e-mail to security-officer@....org Michael McNally ISC Security Officer ----- Operational Notification: Enabling the new BIND option "stale-answer-client-timeout" can result in unexpected server termination Posting date: 18 February 2021 Program impacted: BIND Versions affected: BIND 9.16.12, BIND 9.16.12-S1 (Supported Preview Edition) and version 9.17.10 of the 9.17 development branch. Description: The serve-stale feature (available in BIND 9.11-S, 9.16 and 9.17 branches) has been undergoing some enhancement to bring it into conformance with RFC 8767. As part of this work, in the BIND February 2021 maintenance releases, we added a new feature: 'stale-answer-client-timeout' with a default value of 1800 milliseconds. BIND servers that have enabled the returning of stale cached answers (i.e. those that have set "stale-answer-enable yes;" in named.conf or where serve-stale features have been enabled during runtime using "rndc serve-stale on") may experience an unexpected server termination (crash) if stale-answer-client-timeout is applied to a client query that is being processed. Impact: The named process may terminate unexpectedly with an assertion failure in the procedure ns_query_recurse() in query.c. Workarounds: There are three workarounds; if affected by this problem you can choose the one most suited to your needs: 1) Disable stale answers: stale-answer-enable no; 2) Enable stale answers, but use stale-answer-client-timeout to indicate a preference for serving stale content before attempting to refresh it: stale-answer-client-timeout 0; 3) Enable stale answers but disable the stale-answer-client-timeout (named will not search for a stale answer until an attempt to refresh the data has failed): stale-answer-client-timeout off; Solution: Code changes which fix the broken behavior are planned for the March 2021 maintenance releases (due 17 March 2021) but until then the measures suggested in the "Workarounds" section are the best solution for server operators using the affected stale-answer-enable setting. Note: BIND 9.11.28-S1 is unaffected by this problem Although the serve-stale feature is present in BIND 9.11 Supported Preview Edition, we had not yet back-ported the new 'stale-answer-client-timeout' option when this problem was uncovered. Do you still have questions? Questions regarding this advisory should go to security-officer@....org. To report a new issue, please encrypt your message using security-officer@....org's PGP key which can be found here: https://www.isc.org/pgpkey/. If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/reportbug/. Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. (For current information on which versions are actively supported, please see https://www.isc.org/download/.) This Knowledgebase article, found at https://kb.isc.org/v1/docs/operational-notification-enabling-new-bind-option-stale-answer-client-timeout-can-result-in-unexpected-server-termination is the complete and official operational notification document. Legal Disclaimer: Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.