Gentoo Archives: gentoo-announce

From: Stefan Behte <craig@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201006-11 ] BIND: Multiple vulnerabilities
Date: Wed, 02 Jun 2010 18:33:35
Message-Id: 4C068B31.2020300@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201006-11
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: BIND: Multiple vulnerabilities
9 Date: June 01, 2010
10 Bugs: #301548, #308035
11 ID: 201006-11
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Several cache poisoning vulnerabilities have been found in BIND.
19
20 Background
21 ==========
22
23 ISC BIND is the Internet Systems Consortium implementation of the
24 Domain Name System (DNS) protocol.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 net-dns/bind < 9.4.3_p5 >= 9.4.3_p5
33
34 Description
35 ===========
36
37 Multiple cache poisoning vulnerabilities were discovered in BIND. For
38 further information please consult the CVE entries and the ISC Security
39 Bulletin referenced below.
40
41 Note: CVE-2010-0290 and CVE-2010-0382 exist because of an incomplete
42 fix and a regression for CVE-2009-4022.
43
44 Impact
45 ======
46
47 An attacker could exploit this weakness to poison the cache of a
48 recursive resolver and thus spoof DNS traffic, which could e.g. lead to
49 the redirection of web or mail traffic to malicious sites.
50
51 Workaround
52 ==========
53
54 There is no known workaround at this time.
55
56 Resolution
57 ==========
58
59 All BIND users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose ">=net-dns/bind-9.4.3_p5"
63
64 References
65 ==========
66
67 [ 1 ] ISC Advisory
68 https://www.isc.org/advisories/CVE2009-4022
69 [ 2 ] CVE-2009-4022
70 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022
71 [ 3 ] CVE-2010-0097
72 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0097
73 [ 4 ] CVE-2010-0290
74 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0290
75 [ 5 ] CVE-2010-0382
76 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0382
77
78 Availability
79 ============
80
81 This GLSA and any updates to it are available for viewing at
82 the Gentoo Security Website:
83
84 http://security.gentoo.org/glsa/glsa-201006-11.xml
85
86 Concerns?
87 =========
88
89 Security is a primary focus of Gentoo Linux and ensuring the
90 confidentiality and security of our users machines is of utmost
91 importance to us. Any security concerns should be addressed to
92 security@g.o or alternatively, you may file a bug at
93 https://bugs.gentoo.org.
94
95 License
96 =======
97
98 Copyright 2010 Gentoo Foundation, Inc; referenced text
99 belongs to its owner(s).
100
101 The contents of this document are licensed under the
102 Creative Commons - Attribution / Share Alike license.
103
104 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature