Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 402661 (CVE-2012-1033)

Summary: <net-dns/bind-9.8.3_p1 : Deleted Domain Name Resolving Vulnerability (CVE-2012-1033)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: axiator, idl0r
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-02-08 11:23:37 UTC
From secunia security advisory at $URL:

The vulnerability is caused due to an error within the cache update policy, which does not properly handle revoked domain names. This can be exploited to keep the domain name resolvable after being deleted from registration.

The vulnerability is reported in all 9.x versions.


Original Advisory
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-02-20 05:13:08 UTC
CVE-2012-1033 (
  The resolver in ISC BIND 9 through 9.8.1-P1 does not properly implement a
  cache update policy, which allows remote attackers to trigger continued
  resolvability of domain names that are no longer registered via an
  unspecified "Ghost Names exploit."
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-08-20 00:06:01 UTC
From the upstream advisory [1]:

"**Delayed Update of 29 May --

The following releases, 9.6-ESV-R6, 9.7.5, 9.8.2, 9.9.0, and subsequent releases have changes to address this issue:

3282. [bug] Restrict the TTL of NS RRset to no more than that
of the old NS RRset when replacing it.
[RT #27792] [RT #27884]**"

Adding to existing GLSA draft with 427966. If there are any objections, feel free to delete from the draft.

Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 00:30:43 UTC
This issue was resolved and addressed in
 GLSA 201209-04 at
by GLSA coordinator Sean Amoss (ackle).