Bind Security Vulnerabilities Roundup
by Berislav Kucan - last update: 21 November 2002
Debian Linux (DSA 196-1)

Mandrake Linux (MDKSA-2002:077)

Trustix Secure Linux (#2002-0076)

OpenPKG (OpenPKG-SA-2002.011)

NetBSD (2002-029)

OpenBSD (Patches available)

Additional information

Crispin Cowan, Chief Scientist at WireX said on Immunix-users mailing list: "Those lovely folks at ISC (who maintain BIND) and ISS (who discovered the bug) decided that it was a good idea to release this security advisory a week ahead of releasing the patches, and without revealing what the problems actually are. We will release RPMs and an analysis of how vulnerable Immunix versions are, as soon as it is possible."

Alexandr Kovalenko noted on freebsd-security mailing list that some of the instructions noted in FreeBSD's security advisory are incorrect. The steps should go like this:

# cd /usr/src

# patch < /patch/to/patch

# cd /usr/src/lib/libbind

# make depend && make && make install

# cd /usr/src/lib/libisc

# make depend && make && make install

# cd /usr/src/usr.sbin/named

# make depend && make && make install

# cd /usr/src/libexec/named-xfer

# make depend && make && make install

Openwall Project web site ( notes that BIND 4.9.10-OW2 includes the patch provided by ISC and is likely to become 4.9.11-OW1 once BIND 4.9.11 is officially released.

Alan Olsen from Wirex send a post to immunix-users mailing list that he built new Bind 9 RPM's but they are not tested and should be used at your own risk:

"They are built off of the latest patched Redhat RPMs, so they should work. But be warned that if they cause your cat to go bald, paint to peel off your house or you mother-in-law to move in with you, well...

bind-9.2.1-0.70.2_imnx_1.i386.rpm 13-Nov-2002 14:48 1.7M

bind-9.2.1-0.70.2_imnx_1.src.rpm 13-Nov-2002 14:44 3.8M

bind-devel-9.2.1-0.70.2_imnx_1.i386.rpm 13-Nov-2002 14:48 860k

bind-utils-9.2.1-0.70.2_imnx_1.i386.rpm 13-Nov-2002 14:48 601k

They are not gpg signed at the moment. They probably should be. They are not official, so I have not signed them... That may change, depending on the feedback I get."

Olaf Kirch from SuSE Linux team noted on BugTraq that "...I believe ISC have been sitting on this for almost a month. The CVE IDs were assigned October 16, and I have reason to believe that they learned of this no later than October 23." Read his opinion over at Neohapsis archives.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th