[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1PSak9-0004lY-15@titan.mandriva.com>
Date: Tue, 14 Dec 2010 20:41:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:253 ] bind
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:253
http://www.mandriva.com/security/
_______________________________________________________________________
Package : bind
Date : December 14, 2010
Affected: 2009.0, 2010.0, 2010.1, Corporate 4.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities were discovered and corrected in bind:
named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3,
and 9.7.x before 9.7.2-P3 does not properly handle the combination
of signed negative responses and corresponding RRSIG records in the
cache, which allows remote attackers to cause a denial of service
(daemon crash) via a query for cached data (CVE-2010-3613).
named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3,
9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not
properly determine the security status of an NS RRset during a DNSKEY
algorithm rollover, which might allow remote attackers to cause a
denial of service (DNSSEC validation error) by triggering a rollover
(CVE-2010-3614).
ISC BIND before 9.7.2-P2, when DNSSEC validation is enabled, does
not properly handle certain bad signatures if multiple trust anchors
exist for a single zone, which allows remote attackers to cause a
denial of service (daemon crash) via a DNS query (CVE-2010-3762).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages for Corporate Server 4.0 has been patched to
address these issues.
The updated packages for Mandriva Linux 2009.0, 2010.0 and Mandriva
Linux Enterprise Server 5.1 has been upgraded to bind-9.6.2-P3 and
patched to address the CVE-2010-3762 security issue.
The updated packages for Mandriva Linux 2010.1 has been upgraded to
bind-9.7.2-P3 which is not vulnerable to these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3613
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3614
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3762
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
c244e578f17c88632203ae229e930319 2009.0/i586/bind-9.6.2-0.2mdv2009.0.i586.rpm
7394a97fb84683afd1e99643be659dbe 2009.0/i586/bind-devel-9.6.2-0.2mdv2009.0.i586.rpm
d4ec2420805067df8e5dfa615253d9d5 2009.0/i586/bind-doc-9.6.2-0.2mdv2009.0.i586.rpm
49b9e3f63f5cb5e4f17f1d471c96693d 2009.0/i586/bind-utils-9.6.2-0.2mdv2009.0.i586.rpm
de6adf490a34d59d2a5478b13d1fcae6 2009.0/SRPMS/bind-9.6.2-0.2mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
f100a5d94b32d4ea354010205dd61c95 2009.0/x86_64/bind-9.6.2-0.2mdv2009.0.x86_64.rpm
0b7d2dec10b7d523225c8fc072942a3f 2009.0/x86_64/bind-devel-9.6.2-0.2mdv2009.0.x86_64.rpm
4762a0979b196d4fe2f9ec597b9bab17 2009.0/x86_64/bind-doc-9.6.2-0.2mdv2009.0.x86_64.rpm
11a3f380c29d0167305a14789f0a1342 2009.0/x86_64/bind-utils-9.6.2-0.2mdv2009.0.x86_64.rpm
de6adf490a34d59d2a5478b13d1fcae6 2009.0/SRPMS/bind-9.6.2-0.2mdv2009.0.src.rpm
Mandriva Linux 2010.0:
26070dd85164e6a55d525b0911d8a5b9 2010.0/i586/bind-9.6.2-0.2mdv2010.0.i586.rpm
3462f0f35c63e10bc7c434c41ed920ed 2010.0/i586/bind-devel-9.6.2-0.2mdv2010.0.i586.rpm
e9de811a81102bb59e88f0203c2d6c2f 2010.0/i586/bind-doc-9.6.2-0.2mdv2010.0.i586.rpm
74bf83c6d618bee1a271dfb4b5fe90d9 2010.0/i586/bind-utils-9.6.2-0.2mdv2010.0.i586.rpm
66fa1bdf42920a011ce35fadfa8599ec 2010.0/SRPMS/bind-9.6.2-0.2mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
8d5dfbfed95fcde4f4e1f7f55d843d53 2010.0/x86_64/bind-9.6.2-0.2mdv2010.0.x86_64.rpm
c924c51f720f698392acc9499b279574 2010.0/x86_64/bind-devel-9.6.2-0.2mdv2010.0.x86_64.rpm
4b9f532080b0235765892643c26b3b34 2010.0/x86_64/bind-doc-9.6.2-0.2mdv2010.0.x86_64.rpm
4c49ead6f31cb62620ecad95ac347ce5 2010.0/x86_64/bind-utils-9.6.2-0.2mdv2010.0.x86_64.rpm
66fa1bdf42920a011ce35fadfa8599ec 2010.0/SRPMS/bind-9.6.2-0.2mdv2010.0.src.rpm
Mandriva Linux 2010.1:
c602faaa5ecf406a50c1d54e213b005f 2010.1/i586/bind-9.7.2-0.1mdv2010.1.i586.rpm
0c0fb39f374e7bff06bcd41f0620f1b5 2010.1/i586/bind-devel-9.7.2-0.1mdv2010.1.i586.rpm
36beded6f33d63195c49e5acc60fab0c 2010.1/i586/bind-doc-9.7.2-0.1mdv2010.1.i586.rpm
90f759a7980f943a9d523474fa24579d 2010.1/i586/bind-utils-9.7.2-0.1mdv2010.1.i586.rpm
5c5652897cdac3de831240c456133b1f 2010.1/SRPMS/bind-9.7.2-0.1mdv2010.1.src.rpm
Mandriva Linux 2010.1/X86_64:
6d0b4ae6a7c1dca2be5e9be73e7eda07 2010.1/x86_64/bind-9.7.2-0.1mdv2010.1.x86_64.rpm
6eb3a612e530882ef3f11afaf6b9ec87 2010.1/x86_64/bind-devel-9.7.2-0.1mdv2010.1.x86_64.rpm
9f20502ce9b0c2ab21365599cc9f4ceb 2010.1/x86_64/bind-doc-9.7.2-0.1mdv2010.1.x86_64.rpm
edd121e4fa630341dac046eadc16cc53 2010.1/x86_64/bind-utils-9.7.2-0.1mdv2010.1.x86_64.rpm
5c5652897cdac3de831240c456133b1f 2010.1/SRPMS/bind-9.7.2-0.1mdv2010.1.src.rpm
Corporate 4.0:
d9db6823d848635aab7d6d921a9ebaf4 corporate/4.0/i586/bind-9.4.3-0.3.20060mlcs4.i586.rpm
f7094ed0272958e9720eaabff0aafd83 corporate/4.0/i586/bind-devel-9.4.3-0.3.20060mlcs4.i586.rpm
da816b14327efc578e4b0d101241581d corporate/4.0/i586/bind-utils-9.4.3-0.3.20060mlcs4.i586.rpm
b97e6cf67d71523d5e33632753f35f02 corporate/4.0/SRPMS/bind-9.4.3-0.3.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
d053173af842b307695607d452225b35 corporate/4.0/x86_64/bind-9.4.3-0.3.20060mlcs4.x86_64.rpm
7a5300f1416dc460b83a40e414c764d6 corporate/4.0/x86_64/bind-devel-9.4.3-0.3.20060mlcs4.x86_64.rpm
6d7f188606387b45595bb3ec21df8737 corporate/4.0/x86_64/bind-utils-9.4.3-0.3.20060mlcs4.x86_64.rpm
b97e6cf67d71523d5e33632753f35f02 corporate/4.0/SRPMS/bind-9.4.3-0.3.20060mlcs4.src.rpm
Mandriva Enterprise Server 5:
18c0520c2d8735774fe47228a8c54431 mes5/i586/bind-9.6.2-0.2mdvmes5.1.i586.rpm
9704ba9bb67980d9863156ef9b25b40e mes5/i586/bind-devel-9.6.2-0.2mdvmes5.1.i586.rpm
944c833994bee486555c9800e818012e mes5/i586/bind-doc-9.6.2-0.2mdvmes5.1.i586.rpm
7a79ab5505f2eecdd19ecadfd815da72 mes5/i586/bind-utils-9.6.2-0.2mdvmes5.1.i586.rpm
0b5fcb3ae14aecb82b6ed5b96620e43e mes5/SRPMS/bind-9.6.2-0.2mdvmes5.1.src.rpm
Mandriva Enterprise Server 5/X86_64:
c854520bb790fc3fdbefdfb996a17ec5 mes5/x86_64/bind-9.6.2-0.2mdvmes5.1.x86_64.rpm
5326c0f0f80115d75174dbb4e200e505 mes5/x86_64/bind-devel-9.6.2-0.2mdvmes5.1.x86_64.rpm
e181f7817735b9ac929f103719d815f2 mes5/x86_64/bind-doc-9.6.2-0.2mdvmes5.1.x86_64.rpm
b87c781974853007429b7ce6801fbf5f mes5/x86_64/bind-utils-9.6.2-0.2mdvmes5.1.x86_64.rpm
0b5fcb3ae14aecb82b6ed5b96620e43e mes5/SRPMS/bind-9.6.2-0.2mdvmes5.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFNB5famqjQ0CJFipgRAvVVAKDRz+ErWGSYv2Zlit5z2vYxC1oy5gCgv+sZ
KzGENR8HDB+JHGGJvvGlKKo=
=lmTu
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists