Forum: >>> Magnum BBS <<<

[SECURITY] [DSA 2054-1] New bind9 packages fix cache poisoning (1/5)

From Florian Weimer@1:229/2 to All on Fri Jun 4 21:30:02 2010

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-2054-1 [email protected] http://www.debian.org/security/ Florian Weimer
June 04, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : bind9
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2010-0097 CVE-2010-0290 CVE-2010-0382

Several cache-poisoning vulnerabilities have been discovered in BIND.
These vulnerabilities are apply only if DNSSEC validation is enabled and
trust anchors have been installed, which is not the default.

The Common Vulnerabilities and Exposures project identifies the
following problems:

CVE-2010-0097
BIND does not properly validate DNSSEC NSEC records, which allows
remote attackers to add the Authenticated Data (AD) flag to a forged
NXDOMAIN response for an existing domain.

CVE-2010-0290
When processing crafted responses containing CNAME or DNAME records,
BIND is subject to a DNS cache poisoning vulnerability, provided that
DNSSEC validation is enabled and trust anchors have been installed.

CVE-2010-0382
When processing certain responses containing out-of-bailiwick data,
BIND is subject to a DNS cache poisoning vulnerability, provided that
DNSSEC validation is enabled and trust anchors have been installed.

In addition, this update introduce a more conservative query behavior
in the presence of repeated DNSSEC validation failures, addressing the
"roll over and die" phenomenon. The new version also supports the cryptographic algorithm used by the upcoming signed ICANN DNS root
(RSASHA256 from RFC 5702), and the NSEC3 secure denial of existence
algorithm used by some signed top-level domains.

This update is based on a new upstream version of BIND 9, 9.6-ESV-R1.
Because of the scope of changes, extra care is recommended when
installing the update. Due to ABI changes, new Debian packages are
included, and the update has to be installed using "apt-get
dist-upgrade" (or an equivalent aptitude command).

For the stable distribution (lenny), these problems have been fixed in
version 1:9.6.ESV.R1+dfsg-0+lenny1.

For the unstable distribution (sid), these problems have been fixed in
version 1:9.7.0.dfsg-1.

We recommend that you upgrade your bind9 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get dist-upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1.diff.gz
Size/MD5 checksum: 45323 fb028cde990581e5d817ed23decc702a
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg.orig.tar.gz
Size/MD5 checksum: 5132628 5ac7e5eadd45b234ce17b3b731dacc3a
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1.dsc
Size/MD5 checksum: 1794 b0b1eaf99cfa2d7d6357306185dac33b

Architecture independent packages:

http://security.debian.org/pool/updates/main/b/bind9/bind9-doc_9.6.ESV.R1+dfsg-0+lenny1_all.deb
Size/MD5 checksum: 281996 fdd2ac63c79f616b5707b1145f345c59

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/b/bind9/libisc52_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
Size/MD5 checksum: 174730 bc14fcc13620587444ffe8496fbaf787
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
Size/MD5 checksum: 1737100 30180481a0f688e520343c12ad4fd428
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
Size/MD5 checksum: 227130 f245dba4a6bca2afef7361b80c8bc426
http://security.debian.org/pool/updates/main/b/bind9/libbind9-50_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
Size/MD5 checksum: 33264 791895dac1d1962c57e3b588a71e419f
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
Size/MD5 checksum: 64160 c504f75ef20ac6ae8d71b4387c9f7cb2
http://security.debian.org/pool/updates/main/b/bind9/liblwres50_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
Size/MD5 checksum: 49464 2b5542561248a31f16389e50ae4eada5
http://security.debian.org/pool/updates/main/b/bind9/libisccc50_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
Size/MD5 checksum: 29796 aebf5e3c1c976cb2239fd3a8f5605a36
http://security.debian.org/pool/updates/main/b/bind9/libisccfg50_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
Size/MD5 checksum: 51326 3abd68b93de814beeaedbce34cf7be66
http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
Size/MD5 checksum: 115242 0ba57bc9774fe5078ef018d99b8606d0
http://security.debian.org/pool/updates/main/b/bind9/libdns55_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
Size/MD5 checksum: 677156 5599bce1f50878b9d62612bb8eed86dc
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
Size/MD5 checksum: 291992 3f3e70afb32fccd7ed7e3d1d07725e18
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
Size/MD5 checksum: 154454 d7911121939f6ca0c410274667f6161d

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb
Size/MD5 checksum: 1412848 1deb73e8b661729a535a6504266b6293
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb
Size/MD5 checksum: 65356 831bb09b389f3a21108d7b8d3b095624
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb
Size/MD5 checksum: 156776 df5ecfee580a4fd04a0ecacdbd6fd3cd
http://security.debian.org/pool/updates/main/b/bind9/libisc52_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Bob Worm
  Mon Jun 8 16:33:22 2026
  from Wales, Uk via Telnet
- Bob Worm
  Mon Jun 8 14:11:46 2026
  from Wales, Uk via Telnet
- Krenn
  Mon Jun 8 11:22:02 2026
  from Sydney, Nsw via Telnet
- Bob Worm
  Mon Jun 8 08:26:26 2026
  from Wales, Uk via Telnet
- Spearb0y
  Mon Jun 8 06:51:02 2026
  from Massachusetts via SSH
- Krenn
  Mon Jun 8 05:45:38 2026
  from Sydney, Nsw via Telnet
- Bob Worm
  Sun Jun 7 20:58:28 2026
  from Wales, Uk via Telnet
- Michal Wronka
  Sun Jun 7 19:26:28 2026
  from Wroclaw, Poland via SSH

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	26:08:33
Calls:	12,106
Calls today:	6
Files:	15,006
Messages:	6,518,191

[SECURITY] [DSA 2054-1] New bind9 packages fix cache poisoning (1/5)

Who's Online

Recent Visitors

System Info