By Alan Hargreaves-Oracle on Jul 30, 2009
Yesterday I noticed an article titled New DoS Vulnerability in All versions of BIND 9 on slashdot. The article refers to BIND Dynamic Update DoS at the ISC site describing Vulnerability Note VU#725188 - ISC BIND 9 vulnerable to denial of service via dynamic update request.
This very rapidly caused a stir on a few internal mailing lists that I'm on and work on addressing this as
6865903 Updated, P1 network/dns CVE-2009-0696 BIND dynamic update problem
The current status of this within Sun is that the Interim Security Reliefs (ISR) are available from http://sunsolve.sun.com/tpatches for the following releases:
- Solaris 10 IDR142522-01
- Solaris 9 IDR142524-01
- Solaris 10 IDR142523-01
- Solaris 9 IDR142525-01
Sun Alert 264828 is on its way to be published. When published it will be available from: http://sunsolve.sun.com/search/document.do?assetkey=1-66-264828-1
The fix is planned for build 121 for OpenSolaris/Nevada and we're attempting to get it into the next possible release Support Repository Update (SRU3).
It turns out that the Solaris 9 ISR patches rely on an unreleased patch for Solaris 9. Work is underway to get this dependency out quickly,