Bind Security Vulnerabilities Roundup
by Berislav Kucan - last update: 21 November 2002
Debian Linux (DSA 196-1)

http://www.net-security.org/advisory.php?id=1281

Mandrake Linux (MDKSA-2002:077)

http://www.net-security.org/advisory.php?id=1282

Trustix Secure Linux (#2002-0076)

http://www.net-security.org/advisory.php?id=1300

OpenPKG (OpenPKG-SA-2002.011)

http://www.net-security.org/advisory.php?id=1295

NetBSD (2002-029)

http://www.net-security.org/advisory.php?id=1314

OpenBSD (Patches available)

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/005_named.patch

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/019_named.patch

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/036_named.patch




Additional information

Crispin Cowan, Chief Scientist at WireX said on Immunix-users mailing list: "Those lovely folks at ISC (who maintain BIND) and ISS (who discovered the bug) decided that it was a good idea to release this security advisory a week ahead of releasing the patches, and without revealing what the problems actually are. We will release RPMs and an analysis of how vulnerable Immunix versions are, as soon as it is possible."

Alexandr Kovalenko noted on freebsd-security mailing list that some of the instructions noted in FreeBSD's security advisory are incorrect. The steps should go like this:

# cd /usr/src

# patch < /patch/to/patch

# cd /usr/src/lib/libbind

# make depend && make && make install

# cd /usr/src/lib/libisc

# make depend && make && make install

# cd /usr/src/usr.sbin/named

# make depend && make && make install

# cd /usr/src/libexec/named-xfer

# make depend && make && make install

Openwall Project web site (www.openwall.com) notes that BIND 4.9.10-OW2 includes the patch provided by ISC and is likely to become 4.9.11-OW1 once BIND 4.9.11 is officially released.

Alan Olsen from Wirex send a post to immunix-users mailing list that he built new Bind 9 RPM's but they are not tested and should be used at your own risk:

"They are built off of the latest patched Redhat RPMs, so they should work. But be warned that if they cause your cat to go bald, paint to peel off your house or you mother-in-law to move in with you, well...

http://download.immunix.org/ImmunixOS/7+-beta/contrib/

bind-9.2.1-0.70.2_imnx_1.i386.rpm 13-Nov-2002 14:48 1.7M

bind-9.2.1-0.70.2_imnx_1.src.rpm 13-Nov-2002 14:44 3.8M

bind-devel-9.2.1-0.70.2_imnx_1.i386.rpm 13-Nov-2002 14:48 860k

bind-utils-9.2.1-0.70.2_imnx_1.i386.rpm 13-Nov-2002 14:48 601k

They are not gpg signed at the moment. They probably should be. They are not official, so I have not signed them... That may change, depending on the feedback I get."

Olaf Kirch from SuSE Linux team noted on BugTraq that "...I believe ISC have been sitting on this for almost a month. The CVE IDs were assigned October 16, and I have reason to believe that they learned of this no later than October 23." Read his opinion over at Neohapsis archives.

Spotlight

Leveraging network intelligence and deep packet inspection

Posted on 26 November 2014.  |  Tomer Saban, CEO of WireX Systems, talks about how deep packet inspection helps with identifying emerging threats, the role of network intelligence, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Nov 27th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //