|Summary:||<net-dns/bind-9.8.3_p1 : Deleted Domain Name Resolving Vulnerability (CVE-2012-1033)|
|Product:||Gentoo Security||Reporter:||Agostino Sarubbo <ago>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Agostino Sarubbo 2012-02-08 11:23:37 UTC
Comment 1 GLSAMaker/CVETool Bot 2012-02-20 05:13:08 UTC
CVE-2012-1033 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1033): The resolver in ISC BIND 9 through 9.8.1-P1 does not properly implement a cache update policy, which allows remote attackers to trigger continued resolvability of domain names that are no longer registered via an unspecified "Ghost Names exploit."
Comment 2 Sean Amoss (RETIRED) 2012-08-20 00:06:01 UTC
From the upstream advisory : "**Delayed Update of 29 May -- The following releases, 9.6-ESV-R6, 9.7.5, 9.8.2, 9.9.0, and subsequent releases have changes to address this issue: 3282. [bug] Restrict the TTL of NS RRset to no more than that of the old NS RRset when replacing it. [RT #27792] [RT #27884]**" Adding to existing GLSA draft with 427966. If there are any objections, feel free to delete from the draft.  https://www.isc.org/software/bind/advisories/cve-2012-1033
Comment 3 GLSAMaker/CVETool Bot 2012-09-24 00:30:43 UTC
This issue was resolved and addressed in GLSA 201209-04 at http://security.gentoo.org/glsa/glsa-201209-04.xml by GLSA coordinator Sean Amoss (ackle).