| Summary: | <net-dns/bind-9.8.3_p1 : Deleted Domain Name Resolving Vulnerability (CVE-2012-1033) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | axiator, idl0r |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://secunia.com/advisories/47884/ | ||
| Whiteboard: | B3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Agostino Sarubbo
2012-02-08 11:23:37 UTC
CVE-2012-1033 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1033): The resolver in ISC BIND 9 through 9.8.1-P1 does not properly implement a cache update policy, which allows remote attackers to trigger continued resolvability of domain names that are no longer registered via an unspecified "Ghost Names exploit." From the upstream advisory [1]: "**Delayed Update of 29 May -- The following releases, 9.6-ESV-R6, 9.7.5, 9.8.2, 9.9.0, and subsequent releases have changes to address this issue: 3282. [bug] Restrict the TTL of NS RRset to no more than that of the old NS RRset when replacing it. [RT #27792] [RT #27884]**" Adding to existing GLSA draft with 427966. If there are any objections, feel free to delete from the draft. [1] https://www.isc.org/software/bind/advisories/cve-2012-1033 This issue was resolved and addressed in GLSA 201209-04 at http://security.gentoo.org/glsa/glsa-201209-04.xml by GLSA coordinator Sean Amoss (ackle). |
