Summary: | net-dns/bind <9.4.3_p1 incorrect checks for malformed DSA signatures (CVE-2009-0025) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bind+disabled, voxus |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thread/3f66647a5064fced | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Robert Buchholz (RETIRED)
2009-01-07 18:34:17 UTC
According to oCERT, this was fixed in 9.3.6-P1, 9.4.3-P1, 9.5.1-P1, 9.6.0-P1. Can't connect to isc.org to check though. (In reply to comment #1) > According to oCERT, this was fixed in 9.3.6-P1, 9.4.3-P1, 9.5.1-P1, 9.6.0-P1. > Can't connect to isc.org to check though. > I'll quickly bump to 9.4.3_p1, 9.5.1_p1 and 9.6.0_p1 will follow. from: ftp://ftp.isc.org/isc/bind9/9.4.3-P1/9.4.3-P1 BIND 9.4.3-P1 is now available. BIND 9.4.3-P1 is a SECURITY patch for BIND 9.4.3. It addresses a bug in which return values from some OpenSSL functions were left unchecked, making it theoretically possible to spoof answers from some signed zones. Bugs should be reported to bind9-bugs@isc.org. BIND 9.4.3-P1 can be downloaded from ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz The PGP signature of the distribution is at ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz.sha256.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P1/bind-9.4.3-P1.tar.gz.sha512.asc The signature was generated with the ISC public key, which is available at <http://www.isc.org/ISC/isckey.txt>. A binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip The PGP signature of the binary kit for Windows XP and Window 2003 is at ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.zip.sha512.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip.sha256.asc ftp://ftp.isc.org/isc/bind9/9.4.3-P1/BIND9.4.3-P1.debug.zip.sha512.asc Changes since 9.4.3: 2522. [security] Handle -1 from DSA_do_verify(). 2498. [bug] Removed a bogus function argument used with ISC_SOCKET_USE_POLLWATCH: it could cause compiler warning or crash named with the debug 1 level of logging. [RT #18917] 9.4.3_p1 is inCVS. Candidates for stabilization: =net-dns/bind-9.4.3_p1 =net-dns/bind-tools-9.4.3_p1 both stable on hppa ppc64 done ppc stable Both stable on alpha. amd64/x86 stable ia64/sparc stable Ready to vote, I vote YES. voting yes too, request filed. GLSA 200903-14 |