[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1NXh6r-0001kz-Pa@titan.mandriva.com>
Date: Wed, 20 Jan 2010 21:25:01 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:021 ] bind
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:021
http://www.mandriva.com/security/
_______________________________________________________________________
Package : bind
Date : January 20, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Some vulnerabilities were discovered and corrected in bind:
The original fix for CVE-2009-4022 was found to be incomplete. BIND
was incorrectly caching certain responses without performing proper
DNSSEC validation. CNAME and DNAME records could be cached, without
proper DNSSEC validation, when received from processing recursive
client queries that requested DNSSEC records but indicated that
checking should be disabled. A remote attacker could use this flaw
to bypass the DNSSEC validation check and perform a cache poisoning
attack if the target BIND server was receiving such client queries
(CVE-2010-0290).
There was an error in the DNSSEC NSEC/NSEC3 validation code that
could cause bogus NXDOMAIN responses (that is, NXDOMAIN responses
for records proven by NSEC or NSEC3 to exist) to be cached as if they
had validated correctly, so that future queries to the resolver would
return the bogus NXDOMAIN with the AD flag set (CVE-2010-0097).
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
Additionally BIND has been upgraded to the latest patch release
version.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0290
https://www.isc.org/node/504
https://www.isc.org/advisories/CVE-2009-4022v6
https://www.isc.org/advisories/CVE-2010-0097
https://bugzilla.redhat.com/show_bug.cgi?id=557121
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
1e34c922d8288315da7f0b56eff4dedb 2008.0/i586/bind-9.4.3-0.2mdv2008.0.i586.rpm
4f70cf5495d8da10420809b7d0517ff5 2008.0/i586/bind-devel-9.4.3-0.2mdv2008.0.i586.rpm
16731072aefc3dbace3223b45298fc5f 2008.0/i586/bind-utils-9.4.3-0.2mdv2008.0.i586.rpm
a006840a69139819aa67fcf2ea8a639a 2008.0/SRPMS/bind-9.4.3-0.2mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
17a1bc4c41a8bc3ce017f4f943c82055 2008.0/x86_64/bind-9.4.3-0.2mdv2008.0.x86_64.rpm
241c61e333d2ee2a7a5039382c3bb86f 2008.0/x86_64/bind-devel-9.4.3-0.2mdv2008.0.x86_64.rpm
bc515c70242c2e4c474ee5fa7c14225b 2008.0/x86_64/bind-utils-9.4.3-0.2mdv2008.0.x86_64.rpm
a006840a69139819aa67fcf2ea8a639a 2008.0/SRPMS/bind-9.4.3-0.2mdv2008.0.src.rpm
Mandriva Linux 2009.0:
8b26305703ab02b06e48ff14536e028c 2009.0/i586/bind-9.5.2-0.2mdv2009.0.i586.rpm
d9575243d10ff6d1b89e9f863f745bf5 2009.0/i586/bind-devel-9.5.2-0.2mdv2009.0.i586.rpm
843fa0de56e209e035baae810fead5a7 2009.0/i586/bind-doc-9.5.2-0.2mdv2009.0.i586.rpm
d0e73fb1d7c1cccd4a72571e9c7603e9 2009.0/i586/bind-utils-9.5.2-0.2mdv2009.0.i586.rpm
6568c238267d1d547804d37256704bf9 2009.0/SRPMS/bind-9.5.2-0.2mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
b49ef48bf6db6c7d0de0da4a0de7401d 2009.0/x86_64/bind-9.5.2-0.2mdv2009.0.x86_64.rpm
f4a281ec99558e09233d8e1142f08e0e 2009.0/x86_64/bind-devel-9.5.2-0.2mdv2009.0.x86_64.rpm
d2ce2753ea50d65f6e6222745f972ff9 2009.0/x86_64/bind-doc-9.5.2-0.2mdv2009.0.x86_64.rpm
4ddf41b2ad82a4de63ad7a5127a69194 2009.0/x86_64/bind-utils-9.5.2-0.2mdv2009.0.x86_64.rpm
6568c238267d1d547804d37256704bf9 2009.0/SRPMS/bind-9.5.2-0.2mdv2009.0.src.rpm
Mandriva Linux 2009.1:
d74f7d990791e26e6726856139973e9a 2009.1/i586/bind-9.6.1-0.2mdv2009.1.i586.rpm
d7985532881c21424277cdcb60d18114 2009.1/i586/bind-devel-9.6.1-0.2mdv2009.1.i586.rpm
bc17c2cc6bdcdbbfb4e1395bd439ba88 2009.1/i586/bind-doc-9.6.1-0.2mdv2009.1.i586.rpm
41f9b55e7c76a86edb2ac0acf27e553e 2009.1/i586/bind-utils-9.6.1-0.2mdv2009.1.i586.rpm
c942e994b97a336f4fd5a0c5cf738549 2009.1/SRPMS/bind-9.6.1-0.2mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
fb5d4184bee0c7043b94a3e84a0157b3 2009.1/x86_64/bind-9.6.1-0.2mdv2009.1.x86_64.rpm
bb6ca433443ab453c73a3f3576537664 2009.1/x86_64/bind-devel-9.6.1-0.2mdv2009.1.x86_64.rpm
78e18eea9b23f6efbf2e5344fc2cc648 2009.1/x86_64/bind-doc-9.6.1-0.2mdv2009.1.x86_64.rpm
1adb16932dda446bd5abaaa276ad124d 2009.1/x86_64/bind-utils-9.6.1-0.2mdv2009.1.x86_64.rpm
c942e994b97a336f4fd5a0c5cf738549 2009.1/SRPMS/bind-9.6.1-0.2mdv2009.1.src.rpm
Mandriva Linux 2010.0:
2a43dd3cd4114c76c29ac84c33b75fef 2010.0/i586/bind-9.6.1-4.2mdv2010.0.i586.rpm
f7146dd8d890f98582f536493e92a83f 2010.0/i586/bind-devel-9.6.1-4.2mdv2010.0.i586.rpm
5df56342d4c411b04e87f77117b6804c 2010.0/i586/bind-doc-9.6.1-4.2mdv2010.0.i586.rpm
fb09cf1c22611a49f9e4f75554a337be 2010.0/i586/bind-utils-9.6.1-4.2mdv2010.0.i586.rpm
f6459d6a6e926070e97e7aba94170631 2010.0/SRPMS/bind-9.6.1-4.2mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
53202e9e4bde9cca54bc15f45e5c792e 2010.0/x86_64/bind-9.6.1-4.2mdv2010.0.x86_64.rpm
c086ca1a71254192b535a1c1f3237a88 2010.0/x86_64/bind-devel-9.6.1-4.2mdv2010.0.x86_64.rpm
154ab6458564150b255a2f812e20692d 2010.0/x86_64/bind-doc-9.6.1-4.2mdv2010.0.x86_64.rpm
fb0e3afd17b048d410fb5d9b804ab122 2010.0/x86_64/bind-utils-9.6.1-4.2mdv2010.0.x86_64.rpm
f6459d6a6e926070e97e7aba94170631 2010.0/SRPMS/bind-9.6.1-4.2mdv2010.0.src.rpm
Corporate 4.0:
5d343162e5df4074f8a766e5ba412c16 corporate/4.0/i586/bind-9.4.3-0.2.20060mlcs4.i586.rpm
d1d81bb03511aa5045b377b8d5b9dda5 corporate/4.0/i586/bind-devel-9.4.3-0.2.20060mlcs4.i586.rpm
1c88a5de62896395a79cecabf756f297 corporate/4.0/i586/bind-utils-9.4.3-0.2.20060mlcs4.i586.rpm
34b8febb59628c25f594a90989f3d4ea corporate/4.0/SRPMS/bind-9.4.3-0.2.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
4f2a0f0de08ca058aee7c3935290064e corporate/4.0/x86_64/bind-9.4.3-0.2.20060mlcs4.x86_64.rpm
8a5569c45fe9ee2263f6dbbdca195684 corporate/4.0/x86_64/bind-devel-9.4.3-0.2.20060mlcs4.x86_64.rpm
d7466a30a031271fa6d911f1dafa561c corporate/4.0/x86_64/bind-utils-9.4.3-0.2.20060mlcs4.x86_64.rpm
34b8febb59628c25f594a90989f3d4ea corporate/4.0/SRPMS/bind-9.4.3-0.2.20060mlcs4.src.rpm
Mandriva Enterprise Server 5:
30fe9bb51f78f199d785ff4e6c999708 mes5/i586/bind-9.5.2-0.2mdvmes5.i586.rpm
290b224bcf4710b5bd8b054d903b7450 mes5/i586/bind-devel-9.5.2-0.2mdvmes5.i586.rpm
069cb4acbec0393d2d8249f971f4077a mes5/i586/bind-doc-9.5.2-0.2mdvmes5.i586.rpm
b29152a5ac58aa5296be30ceadfc3890 mes5/i586/bind-utils-9.5.2-0.2mdvmes5.i586.rpm
d7d2d8703f26e20ec36bfaf2816dd060 mes5/SRPMS/bind-9.5.2-0.2mdvmes5.src.rpm
Mandriva Enterprise Server 5/X86_64:
6cdae79e993981af90e491693a6d49b4 mes5/x86_64/bind-9.5.2-0.2mdvmes5.x86_64.rpm
b042420f74563e0c9451fdf6d0b91d3e mes5/x86_64/bind-devel-9.5.2-0.2mdvmes5.x86_64.rpm
a31659cdba90b49518e05ee0a9787c96 mes5/x86_64/bind-doc-9.5.2-0.2mdvmes5.x86_64.rpm
badabfcf913acd2e9b83da6fe33c97cb mes5/x86_64/bind-utils-9.5.2-0.2mdvmes5.x86_64.rpm
d7d2d8703f26e20ec36bfaf2816dd060 mes5/SRPMS/bind-9.5.2-0.2mdvmes5.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLVzchmqjQ0CJFipgRAug2AJ9cykjSF4FXGsupy/KcoitoqbDmJQCfZw6y
Fw4zovyshx4dVKSm+x9gssQ=
=UlsE
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists