Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 163691
Alias:
Product:
Component:
Status: RESOLVED
Resolution: DUPLICATE of bug 163692
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Rajiv Aaron Manglani <rajiv@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 163691 depends on: Show dependency tree
Bug 163691 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-01-25 01:42 0000 
From:     Mark_Andrews@isc.org
        Subject:        Internet Systems Consortium Security Advisory.
        Date:   January 24, 2007 7:22:47 PM EST
        To:       bind-announce@isc.org


                Internet Systems Consortium Security Advisory.
                        BIND 9: DNSSEC Validation
                             10 January 2007

Versions affected:

        BIND 9.0.x (all versions of BIND 9.0)   (at end-of-life)
        BIND 9.1.x (all versions of BIND 9.1)   (at end-of-life)
        BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7
        BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3
        BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1
             9.4.0b2, 9.4.0b3, 9.4.0b4, 9.4.0rc1 
        BIND 9.5.0a1 (Bind Forum only)

Severity: Low
Exploitable: Remotely

Description:

        When validating responses to type * (ANY) queries that return
        multiple RRsets in the answer section it is possible to trigger
        assertions checks.

        To be vulnerable you need to have enabled dnssec validation in
        named.conf by specifying trusted-keys.

Workaround:

        Disable / restrict recursion (to limit exposure).
        Disable DNSSEC validation (remove all trusted-keys from named.conf).

Fix:

        Upgrade to BIND 9.2.8, BIND 9.3.4 or BIND 9.4.0rc2.
        Additionally this will be fixed in the upcoming BIND 9.5.0a2.

Note:

        It is recommended that anyone using DNSSEC upgrade to BIND 9.3
        as the DNSSEC implementation in BIND 9.2 has been obsoleted.

Revision History:
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:  +61 2 9871 4742                  INTERNET: Mark_Andrews@isc.org

------- Comment #1 From Executioner 2007-01-30 17:30:27 0000 ------- 
CVE-2007-0493

------- Comment #2 From Martin Jackson (RETIRED) 2007-02-06 03:06:42 0000 ------- 
bind and bind/tools 9.2.8, 9.3.4 and 9.4.0_rc2 have been committed to the tree.

------- Comment #3 From Raphael Marichez 2007-02-10 21:13:14 0000 ------- 
Handled on bug 163692. Don't ask me why this way and not the contrary.

*** This bug has been marked as a duplicate of bug 163692 ***
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug