Risks
Advisories
Browse
or
or
Conectiva Linux Security Announcement - bind
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : bind
SUMMARY   : Remote vulnerabilities in the BIND DNS server
DATE      : 2002-11-14 15:36:00
ID        : CLA-2002:546
RELEVANT
RELEASES  : 6.0

- -------------------------------------------------------------------------

DESCRIPTION
 "bind" is probably the most used DNS server on the internet. 
 
 ISS reported[7] buffer overflow and denial of service vulnerabilities
 in some versions of the BIND software. The most dangerous one, the
 buffer overflow, could be used by remote attacker to execute
 arbitrary code on the server with the privileges of the user running
 the "named" process.
 
 The vulnerabilities explained below affect BIND as shipped with
 Conectiva Linux 6.0. Conectiva Linux 7.0 and 8 already ship BIND 9.x,
 which is not vulnerable to the problems reported by ISS.
 
 1) Buffer overflow (CAN-2002-1219) [5]
 An attacker who can make a vulnerable BIND server make recursive
 queries to a domain that he (the attacker) controls can exploit this
 vulnerability and execute arbitrary code on the server with the same
 privileges as the "named" process. The BIND packages in Conectiva
 Linux run the "named" process with an unprivileged user, and not
 root, which mitigates the impact of this vulnerability somewhat,
 requiring that the attacker take further steps to obtain root access.
 Additionally, there is the bind-chroot package which, if used, runs
 the server in a chroot area under /var/named which imposes an
 additional restriction on the actions a potential intruder can take.
 
 2) Denial of service (CAN-2002-1221) [6]
 The BIND server can be triggered into attempting a NULL pointer
 dereference which will terminate the service. This can be caused by a
 remote attacker who controls a DNS server authoritative for some
 domain queried by the vulnerable BIND server.
 
 
 The packages available through this advisory were built with patches
 that were made publicly available[3] by ISC less than 24 hours ago.
 Conectiva Linux and the majority of other GNU/Linux distributions
 were notified about this vulnerability (but with not enough details
 to produce a patch) about 12 hours before ISS made it public[7]. We
 are worried about the way in which this whole incident has been
 handled, specially when considering that DNS is part of the internet
 infrastructure and thus a vital service.
 
 We, and many vendors, do believe in what is commonly called
 "responsible full disclosure"[8], where all details about a
 vulnerability are made public after all vendors were notified in
 advance and have had a reasonable amount of time to prepare and test
 updated packages. We believe this to be the most secure and
 responsible method for disclosing vulnerabilities.


SOLUTION
 All BIND users should upgrade immediately. After the upgrade, the
 named service will be automatically restarted if needed.
 
 If it is not possible to upgrade the packages immediately, users
 should disable recursive queries or restrict them. Disabling
 recursive queries can be done by the "recursion no;" parameter in the
 options section of the named.conf configuration file. Restricting
 access to such queries can be accomplished via the "allow-recursion"
 directive in the same configuration file.
 
 
 REFERENCES
 1.http://www.isc.org/
 2.http://www.cert.org/advisories/CA-2002-31.html
 3.http://www.isc.org/products/BIND/patches/bind826.diff
 4.http://www.isc.org/products/BIND/bind-security.html
 5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1219
 6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1221
 7.https://gtoc.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469
 8.http://distro.conectiva.com.br/seguranca/problemas/?idioma=en


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/bind-8.2.6-1U60_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/bind-chroot-8.2.6-1U60_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-8.2.6-1U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-chroot-8.2.6-1U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-8.2.6-1U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-static-8.2.6-1U60_2cl.i386.rp
m
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-doc-8.2.6-1U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-utils-8.2.6-1U60_2cl.i386.rpm


ADDITIONAL INSTRUCTIONS
 Users of Conectiva Linux version 6.0 or higher may use apt to perform 
 upgrades of RPM packages:
 - add the following line to /etc/apt/sources.list if it is not there yet
   (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9099O42jd0JmAcZARAiZGAKDMz0e8eiF+0Zws8sQkvkE5NcHKywCg24tc
ixMwRpolJ8skSz3KyrLfVjM=
=Smdc
-----END PGP SIGNATURE-----





Spotlight

Fake "Online Ebola Alert Tool" delivers Trojan

Posted on 29 October 2014.  |  Cyber scammers continue to take advantage of the fear and apprehension surrounding the proliferation of the Ebola virus.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //