Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 163691 - BIND 9: DNSSEC Validation error
Summary: BIND 9: DNSSEC Validation error
Status: RESOLVED DUPLICATE of bug 163692
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-01-25 01:42 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2008-03-05 07:30 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2007-01-25 01:42:50 UTC
From: 	  Mark_Andrews@isc.org
	Subject: 	Internet Systems Consortium Security Advisory.
	Date: 	January 24, 2007 7:22:47 PM EST
	To: 	  bind-announce@isc.org


                Internet Systems Consortium Security Advisory.
			BIND 9: DNSSEC Validation
                             10 January 2007

Versions affected:

	BIND 9.0.x (all versions of BIND 9.0)	(at end-of-life)
	BIND 9.1.x (all versions of BIND 9.1)	(at end-of-life)
	BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7
	BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3
        BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1
	     9.4.0b2, 9.4.0b3, 9.4.0b4, 9.4.0rc1 
	BIND 9.5.0a1 (Bind Forum only)

Severity: Low
Exploitable: Remotely

Description:

	When validating responses to type * (ANY) queries that return
	multiple RRsets in the answer section it is possible to trigger
	assertions checks.

	To be vulnerable you need to have enabled dnssec validation in
	named.conf by specifying trusted-keys.

Workaround:

	Disable / restrict recursion (to limit exposure).
	Disable DNSSEC validation (remove all trusted-keys from named.conf).

Fix:

	Upgrade to BIND 9.2.8, BIND 9.3.4 or BIND 9.4.0rc2.
	Additionally this will be fixed in the upcoming BIND 9.5.0a2.

Note:

	It is recommended that anyone using DNSSEC upgrade to BIND 9.3
	as the DNSSEC implementation in BIND 9.2 has been obsoleted.

Revision History:
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: Mark_Andrews@isc.org
Comment 1 Executioner 2007-01-30 17:30:27 UTC
CVE-2007-0493
Comment 2 Martin Jackson (RETIRED) gentoo-dev 2007-02-06 03:06:42 UTC
bind and bind/tools 9.2.8, 9.3.4 and 9.4.0_rc2 have been committed to the tree.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 21:13:14 UTC
Handled on bug 163692. Don't ask me why this way and not the contrary.

*** This bug has been marked as a duplicate of bug 163692 ***