Slashdot Mirror

← Back to Stories (view on slashdot.org)

Potential 0-Day Vulnerability For BIND 9

Posted by Soulskill on from the bind-your-own-business dept.

Morty writes "BIND, the popular DNS server software, has been crashing all over the Internet. The root cause is believed to be a 0-day vulnerability in BIND's resolver. The ISC has issued an alert. Quoting: 'An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached. At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.'"

2 of 187 comments (clear)

  1. Re:Impossible! by 1s44c · · Score: 5, Insightful

    It's open source, and has had years to mature...so many eyes on it that this couldn't possibly happen.

    We don't even know what is happening yet. Maybe it's just a DOS, maybe it's a potential exploit. What we do know is that no-one has any need to put recursive DNS servers on the internet unless they are running an ISP or a DNS service.

  2. Re:Open sores == fail by NoNonAlphaCharsHere · · Score: 5, Insightful

    I can see this is going to be a long thread full of trolls about open source, but the fact of the matter is that an application "crashing" (really ABENDing) due to an assertion failure is actually a sign of software doing what it was designed to do. Assert statements are used to check for "impossible" conditions, and have the program scream and die if one is found. So what we have here is a careful programmer's backstop doing its job.