163691 2007-01-25 01:42 0000 BIND 9: DNSSEC Validation error 2008-03-05 07:30:37 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED DUPLICATE P2 minor --- 1 rajiv@gentoo.org security@gentoo.org bind@gentoo.org sgtphou@fire-eyes.org voxus@gentoo.org rajiv@gentoo.org 2007-01-25 01:42:50 0000 From: Mark_Andrews@isc.org Subject: Internet Systems Consortium Security Advisory. Date: January 24, 2007 7:22:47 PM EST To: bind-announce@isc.org Internet Systems Consortium Security Advisory. BIND 9: DNSSEC Validation 10 January 2007 Versions affected: BIND 9.0.x (all versions of BIND 9.0) (at end-of-life) BIND 9.1.x (all versions of BIND 9.1) (at end-of-life) BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7 BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3 BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1 9.4.0b2, 9.4.0b3, 9.4.0b4, 9.4.0rc1 BIND 9.5.0a1 (Bind Forum only) Severity: Low Exploitable: Remotely Description: When validating responses to type * (ANY) queries that return multiple RRsets in the answer section it is possible to trigger assertions checks. To be vulnerable you need to have enabled dnssec validation in named.conf by specifying trusted-keys. Workaround: Disable / restrict recursion (to limit exposure). Disable DNSSEC validation (remove all trusted-keys from named.conf). Fix: Upgrade to BIND 9.2.8, BIND 9.3.4 or BIND 9.4.0rc2. Additionally this will be fixed in the upcoming BIND 9.5.0a2. Note: It is recommended that anyone using DNSSEC upgrade to BIND 9.3 as the DNSSEC implementation in BIND 9.2 has been obsoleted. Revision History: -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org keith@email.arizona.edu 2007-01-30 17:30:27 0000 CVE-2007-0493 mjolnir@gentoo.org 2007-02-06 03:06:42 0000 bind and bind/tools 9.2.8, 9.3.4 and 9.4.0_rc2 have been committed to the tree. falco@gentoo.org 2007-02-10 21:13:14 0000 Handled on bug 163692. Don't ask me why this way and not the contrary. *** This bug has been marked as a duplicate of bug 163692 ***