From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------- Debian Security Advisory DSA 2054-2
[email protected] http://www.debian.org/security/ Martin Schulze
June 15th, 2010
http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : bind9
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2010-0097 CVE-2010-0290 CVE-2010-0382
This update restores the PID file location for bind to the location
before the last security update. For reference, here is the original
advisory text that explains the security problems fixed:
Several cache-poisoning vulnerabilities have been discovered in BIND.
These vulnerabilities are apply only if DNSSEC validation is enabled and
trust anchors have been installed, which is not the default.
The Common Vulnerabilities and Exposures project identifies the
following problems:
CVE-2010-0097
BIND does not properly validate DNSSEC NSEC records, which allows
remote attackers to add the Authenticated Data (AD) flag to a forged
NXDOMAIN response for an existing domain.
CVE-2010-0290
When processing crafted responses containing CNAME or DNAME records,
BIND is subject to a DNS cache poisoning vulnerability, provided that
DNSSEC validation is enabled and trust anchors have been installed.
CVE-2010-0382
When processing certain responses containing out-of-bailiwick data,
BIND is subject to a DNS cache poisoning vulnerability, provided that
DNSSEC validation is enabled and trust anchors have been installed.
In addition, this update introduce a more conservative query behavior
in the presence of repeated DNSSEC validation failures, addressing the
"roll over and die" phenomenon. The new version also supports the
cryptographic algorithm used by the upcoming signed ICANN DNS root
(RSASHA256 from RFC 5702), and the NSEC3 secure denial of existence
algorithm used by some signed top-level domains.
This update is based on a new upstream version of BIND 9, 9.6-ESV-R1.
Because of the scope of changes, extra care is recommended when
installing the update. Due to ABI changes, new Debian packages are
included, and the update has to be installed using "apt-get
dist-upgrade" (or an equivalent aptitude command).
For the stable distribution (lenny), these problems have been fixed in
version 1:9.6.ESV.R1+dfsg-0+lenny2.
The unstable distribution is not affected by the wrong PID file location.
We recommend that you upgrade your bind9 packages.
Upgrade Instructions
- --------------------
wget url
will flenny the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny2.dsc
Size/MD5 checksum: 1794 b5951765a8e4aa8bcab2348f1ffa657d
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny2.diff.gz
Size/MD5 checksum: 45913 dd84c3e333a9ed52eb716faecf65f180
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg.orig.tar.gz
Size/MD5 checksum: 5132628 5ac7e5eadd45b234ce17b3b731dacc3a
Architecture independent components:
http://security.debian.org/pool/updates/main/b/bind9/bind9-doc_9.6.ESV.R1+dfsg-0+lenny2_all.deb
Size/MD5 checksum: 282072 8d6a3f9f97202d085d1302769aa452da
Alpha architecture:
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb
Size/MD5 checksum: 292140 8e10a8574edd7034941feee2edc03a31
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb
Size/MD5 checksum: 64240 ee27fa0b5251fea1d502d75a3513a3a6
http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb
Size/MD5 checksum: 115318 52148b7b9069b8954fb8bb04ce5455ad
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb
Size/MD5 checksum: 154542 a190316dcddbeb6973951b38ba2f7ee6
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb
Size/MD5 checksum: 1737448 ff983f8040060267746caf063ff0a8fa
http://security.debian.org/pool/updates/main/b/bind9/libbind9-40_9.5.1.dfsg.P3-1+lenny1_alpha.deb
Size/MD5 checksum: 32518 a9f44edeff6230a772c08f5d380592b7
http://security.debian.org/pool/updates/main/b/bind9/libbind9-50_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb
Size/MD5 checksum: 33328 7ccbb786759eb774ae377d7322eaafa2
http://security.debian.org/pool/updates/main/b/bind9/libdns45_9.5.1.dfsg.P3-1+lenny1_alpha.deb
Size/MD5 checksum: 611996 a05cef02b81d683f83bbbf9f5b88c0fa
http://security.debian.org/pool/updates/main/b/bind9/libdns55_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb
Size/MD5 checksum: 677572 baddf6ba1a7f7ec26acb09089cad5829
http://security.debian.org/pool/updates/main/b/bind9/libisc45_9.5.1.dfsg.P3-1+lenny1_alpha.deb
Size/MD5 checksum: 170184 bfa0989d6719e2d4670890c8b31adf9b
http://security.debian.org/pool/updates/main/b/bind9/libisc52_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb
Size/MD5 checksum: 174826 6e0817102846d641ced13a23b873d027
http://security.debian.org/pool/updates/main/b/bind9/libisccc40_9.5.1.dfsg.P3-1+lenny1_alpha.deb
Size/MD5 checksum: 29694 a47bea58d704d35b8c496d3f7c304492
http://security.debian.org/pool/updates/main/b/bind9/libisccc50_9.6.ESV.R1+dfsg-0+lenny2_alpha.deb
Size/MD5 checksum: 29870 93056e3f1bdf8d4f8f07d4feae2d8836
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)