lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1NXh6r-0001kz-Pa@titan.mandriva.com>
Date: Wed, 20 Jan 2010 21:25:01 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:021 ] bind


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:021
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : bind
 Date    : January 20, 2010
 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
           Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Some vulnerabilities were discovered and corrected in bind:
 
 The original fix for CVE-2009-4022 was found to be incomplete. BIND
 was incorrectly caching certain responses without performing proper
 DNSSEC validation. CNAME and DNAME records could be cached, without
 proper DNSSEC validation, when received from processing recursive
 client queries that requested DNSSEC records but indicated that
 checking should be disabled. A remote attacker could use this flaw
 to bypass the DNSSEC validation check and perform a cache poisoning
 attack if the target BIND server was receiving such client queries
 (CVE-2010-0290).
 
 There was an error in the DNSSEC NSEC/NSEC3 validation code that
 could cause bogus NXDOMAIN responses (that is, NXDOMAIN responses
 for records proven by NSEC or NSEC3 to exist) to be cached as if they
 had validated correctly, so that future queries to the resolver would
 return the bogus NXDOMAIN with the AD flag set (CVE-2010-0097).
 
 Packages for 2008.0 are provided for Corporate Desktop 2008.0
 customers.
 
 Additionally BIND has been upgraded to the latest patch release
 version.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0290
 https://www.isc.org/node/504
 https://www.isc.org/advisories/CVE-2009-4022v6
 https://www.isc.org/advisories/CVE-2010-0097
 https://bugzilla.redhat.com/show_bug.cgi?id=557121
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 1e34c922d8288315da7f0b56eff4dedb  2008.0/i586/bind-9.4.3-0.2mdv2008.0.i586.rpm
 4f70cf5495d8da10420809b7d0517ff5  2008.0/i586/bind-devel-9.4.3-0.2mdv2008.0.i586.rpm
 16731072aefc3dbace3223b45298fc5f  2008.0/i586/bind-utils-9.4.3-0.2mdv2008.0.i586.rpm 
 a006840a69139819aa67fcf2ea8a639a  2008.0/SRPMS/bind-9.4.3-0.2mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 17a1bc4c41a8bc3ce017f4f943c82055  2008.0/x86_64/bind-9.4.3-0.2mdv2008.0.x86_64.rpm
 241c61e333d2ee2a7a5039382c3bb86f  2008.0/x86_64/bind-devel-9.4.3-0.2mdv2008.0.x86_64.rpm
 bc515c70242c2e4c474ee5fa7c14225b  2008.0/x86_64/bind-utils-9.4.3-0.2mdv2008.0.x86_64.rpm 
 a006840a69139819aa67fcf2ea8a639a  2008.0/SRPMS/bind-9.4.3-0.2mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 8b26305703ab02b06e48ff14536e028c  2009.0/i586/bind-9.5.2-0.2mdv2009.0.i586.rpm
 d9575243d10ff6d1b89e9f863f745bf5  2009.0/i586/bind-devel-9.5.2-0.2mdv2009.0.i586.rpm
 843fa0de56e209e035baae810fead5a7  2009.0/i586/bind-doc-9.5.2-0.2mdv2009.0.i586.rpm
 d0e73fb1d7c1cccd4a72571e9c7603e9  2009.0/i586/bind-utils-9.5.2-0.2mdv2009.0.i586.rpm 
 6568c238267d1d547804d37256704bf9  2009.0/SRPMS/bind-9.5.2-0.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 b49ef48bf6db6c7d0de0da4a0de7401d  2009.0/x86_64/bind-9.5.2-0.2mdv2009.0.x86_64.rpm
 f4a281ec99558e09233d8e1142f08e0e  2009.0/x86_64/bind-devel-9.5.2-0.2mdv2009.0.x86_64.rpm
 d2ce2753ea50d65f6e6222745f972ff9  2009.0/x86_64/bind-doc-9.5.2-0.2mdv2009.0.x86_64.rpm
 4ddf41b2ad82a4de63ad7a5127a69194  2009.0/x86_64/bind-utils-9.5.2-0.2mdv2009.0.x86_64.rpm 
 6568c238267d1d547804d37256704bf9  2009.0/SRPMS/bind-9.5.2-0.2mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 d74f7d990791e26e6726856139973e9a  2009.1/i586/bind-9.6.1-0.2mdv2009.1.i586.rpm
 d7985532881c21424277cdcb60d18114  2009.1/i586/bind-devel-9.6.1-0.2mdv2009.1.i586.rpm
 bc17c2cc6bdcdbbfb4e1395bd439ba88  2009.1/i586/bind-doc-9.6.1-0.2mdv2009.1.i586.rpm
 41f9b55e7c76a86edb2ac0acf27e553e  2009.1/i586/bind-utils-9.6.1-0.2mdv2009.1.i586.rpm 
 c942e994b97a336f4fd5a0c5cf738549  2009.1/SRPMS/bind-9.6.1-0.2mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 fb5d4184bee0c7043b94a3e84a0157b3  2009.1/x86_64/bind-9.6.1-0.2mdv2009.1.x86_64.rpm
 bb6ca433443ab453c73a3f3576537664  2009.1/x86_64/bind-devel-9.6.1-0.2mdv2009.1.x86_64.rpm
 78e18eea9b23f6efbf2e5344fc2cc648  2009.1/x86_64/bind-doc-9.6.1-0.2mdv2009.1.x86_64.rpm
 1adb16932dda446bd5abaaa276ad124d  2009.1/x86_64/bind-utils-9.6.1-0.2mdv2009.1.x86_64.rpm 
 c942e994b97a336f4fd5a0c5cf738549  2009.1/SRPMS/bind-9.6.1-0.2mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 2a43dd3cd4114c76c29ac84c33b75fef  2010.0/i586/bind-9.6.1-4.2mdv2010.0.i586.rpm
 f7146dd8d890f98582f536493e92a83f  2010.0/i586/bind-devel-9.6.1-4.2mdv2010.0.i586.rpm
 5df56342d4c411b04e87f77117b6804c  2010.0/i586/bind-doc-9.6.1-4.2mdv2010.0.i586.rpm
 fb09cf1c22611a49f9e4f75554a337be  2010.0/i586/bind-utils-9.6.1-4.2mdv2010.0.i586.rpm 
 f6459d6a6e926070e97e7aba94170631  2010.0/SRPMS/bind-9.6.1-4.2mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 53202e9e4bde9cca54bc15f45e5c792e  2010.0/x86_64/bind-9.6.1-4.2mdv2010.0.x86_64.rpm
 c086ca1a71254192b535a1c1f3237a88  2010.0/x86_64/bind-devel-9.6.1-4.2mdv2010.0.x86_64.rpm
 154ab6458564150b255a2f812e20692d  2010.0/x86_64/bind-doc-9.6.1-4.2mdv2010.0.x86_64.rpm
 fb0e3afd17b048d410fb5d9b804ab122  2010.0/x86_64/bind-utils-9.6.1-4.2mdv2010.0.x86_64.rpm 
 f6459d6a6e926070e97e7aba94170631  2010.0/SRPMS/bind-9.6.1-4.2mdv2010.0.src.rpm

 Corporate 4.0:
 5d343162e5df4074f8a766e5ba412c16  corporate/4.0/i586/bind-9.4.3-0.2.20060mlcs4.i586.rpm
 d1d81bb03511aa5045b377b8d5b9dda5  corporate/4.0/i586/bind-devel-9.4.3-0.2.20060mlcs4.i586.rpm
 1c88a5de62896395a79cecabf756f297  corporate/4.0/i586/bind-utils-9.4.3-0.2.20060mlcs4.i586.rpm 
 34b8febb59628c25f594a90989f3d4ea  corporate/4.0/SRPMS/bind-9.4.3-0.2.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 4f2a0f0de08ca058aee7c3935290064e  corporate/4.0/x86_64/bind-9.4.3-0.2.20060mlcs4.x86_64.rpm
 8a5569c45fe9ee2263f6dbbdca195684  corporate/4.0/x86_64/bind-devel-9.4.3-0.2.20060mlcs4.x86_64.rpm
 d7466a30a031271fa6d911f1dafa561c  corporate/4.0/x86_64/bind-utils-9.4.3-0.2.20060mlcs4.x86_64.rpm 
 34b8febb59628c25f594a90989f3d4ea  corporate/4.0/SRPMS/bind-9.4.3-0.2.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 30fe9bb51f78f199d785ff4e6c999708  mes5/i586/bind-9.5.2-0.2mdvmes5.i586.rpm
 290b224bcf4710b5bd8b054d903b7450  mes5/i586/bind-devel-9.5.2-0.2mdvmes5.i586.rpm
 069cb4acbec0393d2d8249f971f4077a  mes5/i586/bind-doc-9.5.2-0.2mdvmes5.i586.rpm
 b29152a5ac58aa5296be30ceadfc3890  mes5/i586/bind-utils-9.5.2-0.2mdvmes5.i586.rpm 
 d7d2d8703f26e20ec36bfaf2816dd060  mes5/SRPMS/bind-9.5.2-0.2mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 6cdae79e993981af90e491693a6d49b4  mes5/x86_64/bind-9.5.2-0.2mdvmes5.x86_64.rpm
 b042420f74563e0c9451fdf6d0b91d3e  mes5/x86_64/bind-devel-9.5.2-0.2mdvmes5.x86_64.rpm
 a31659cdba90b49518e05ee0a9787c96  mes5/x86_64/bind-doc-9.5.2-0.2mdvmes5.x86_64.rpm
 badabfcf913acd2e9b83da6fe33c97cb  mes5/x86_64/bind-utils-9.5.2-0.2mdvmes5.x86_64.rpm 
 d7d2d8703f26e20ec36bfaf2816dd060  mes5/SRPMS/bind-9.5.2-0.2mdvmes5.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLVzchmqjQ0CJFipgRAug2AJ9cykjSF4FXGsupy/KcoitoqbDmJQCfZw6y
Fw4zovyshx4dVKSm+x9gssQ=
=UlsE
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ