1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 1604-1] BIND 8 deprecation notice

    From Florian Weimer@1:229/2 to All on Tue Jul 8 19:30:09 2008
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------ Debian Security Advisory DSA-1604-1 [email protected] http://www.debian.org/security/ Florian Weimer
    July 08, 2008 http://www.debian.org/security/faq
    - ------------------------------------------------------------------------

    Package : bind
    Vulnerability : DNS cache poisoning
    Problem type : remote
    Debian-specific: no
    CVE Id(s) : CVE-2008-1447
    CERT advisory : VU#800113


    Dan Kaminsky discovered that properties inherent to the DNS protocol
    lead to practical DNS cache poisoning attacks. Among other things,
    successful attacks can lead to misdirected web traffic and email
    rerouting.

    The BIND 8 legacy code base could not be updated to include the
    recommended countermeasure (source port randomization, see DSA-1603-1
    for details). There are two ways to deal with this situation:

    1. Upgrade to BIND 9 (or another implementation with source port randomization). The documentation included with BIND 9 contains a
    migration guide.

    2. Configure the BIND 8 resolver to forward queries to a BIND 9
    resolver. Provided that the network between both resolvers is trusted,
    this protects the BIND 8 resolver from cache poisoning attacks (to the
    same degree that the BIND 9 resolver is protected).

    This problem does not apply to BIND 8 when used exclusively as an
    authoritative DNS server. It is theoretically possible to safely use
    BIND 8 in this way, but updating to BIND 9 is strongly recommended.
    BIND 8 (that is, the bind package) will be removed from the etch
    distribution in a future point release.

    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: [email protected]
    Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iQEVAwUBSHOIFL97/wQC1SS+AQLZYAgAhiucKuHSkgZRjm1E9vUS4t9VmVhKdYB2 jDhG00WloZPxeBjHT0Ar1b4S/QGbDQ2Dy2hlMONsl5ZZWAbkzzANDsVIDC2xez5w NBqJjfEKYuk7Q3E+elyJ/z79F0HbMtO+SdagRoSbIV3nWfSoRI6jp+32Be69JazW Te3gLKOAm6TpdYPpn7wmw2pXeOKzeUaOh/npXAYH4YEKmqnxzJZy+0862kaKSQ8G 9qGIQ9zKCkPLs4bKt+JhpwWumfgaabGT6KlGAtC3ORBef54Ux/EdpNFEGBWvWrxU HOcPZGBJKxUAO4doJdRPNcFV4ez4u2v0WFK3bRM+JNgegnoplvnxuA==
    =vK+3
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)