Software Engineering Institute

Notified:  November 12, 2002 Updated: February 26, 2003

Status

Affected

Vendor Statement

Affected Systems: Mac OS X and Mac OS X Server with BIND versions 8.1, 8.2 to 8.2.6, and 8.3.0 to 8.3.3

Mitigating Factors: BIND is not enabled by default on Mac OS X or Mac OS X Server

This is addressed in Security Update 2002-11-21
http://www.apple.com/support/security/security_updates.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  November 12, 2002 Updated: December 09, 2002

Status

Affected

Vendor Statement

The AIX operating system is vulnerable to the named and DNS resolver issues in releases 4.3.3, 5.1.0 and 5.2.0. Temporary patches will be available through an efix package by 11/22/2002 or before. The efix will be available at the following URL:

ftp://ftp.software.ibm.com/aix/efixes/security/dns_named_efix.tar.Z

In the interim, customers may want to implement the workarounds given in the Solutions section to limit their exposure.

The following APARs will be available in the near future:

AIX 4.3.3 APAR IY37088 (available approx 11/27/2002)
AIX 5.1.0 APAR IY37019 (available approx 12/18/2002)
AIX 5.2.0 APAR TBA (available approx TBA)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  November 12, 2002 Updated: November 12, 2002

Status

Affected

Vendor Statement

Older releases (6.2, 7.0) of Red Hat Linux shipped with versions of BIND which may be vulnerable to these issues however a Red Hat security advisory in July 2002 upgraded all our supported distributions to BIND 9.2.1 which is not vulnerable to these issues.

All users who have BIND installed should ensure that they are running these updated versions of BIND.

http://rhn.redhat.com/errata/RHSA-2002-133.html Red Hat Linux
http://rhn.redhat.com/errata/RHSA-2002-119.html Advanced Server 2.1

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Updated:  November 19, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security@openpkg.org                         openpkg@openpkg.org
OpenPKG-SA-2002.011                                          15-Nov-2002
________________________________________________________________________

Package:             bind, bind8
Vulnerability:       denial of service, arbitrary code execution
OpenPKG Specific:    no

Dependent Packages:  none

Affected Releases:   Affected Packages:     Corrected Packages:
OpenPKG 1.0          <= bind-8.2.6-1.0.1    >= bind-8.2.6-1.0.2
OpenPKG 1.1          <= bind8-8.3.3-1.1.0   >= bind8-8.3.3-1.1.1
OpenPKG CURRENT      <= bind8-8.3.3-2002082 >= bind8-8.3.3-20021114

Description:
 The Internet Software Consortium (ISC) [1] has discovered or has been
 notified of several bugs which can result in vulnerabilities of varying
 levels of severity in BIND [2][3]. These problems include buffer overflows,
 stack revealing, divide by zero, null pointer dereferencing, and more [4].
 A subset of these vulnerabilities exist in the BIND packages distributed by
 OpenPKG.

  Please check whether you are affected by running "<prefix>/bin/rpm -qa |
 grep bind". If you have an affected version of the "bind" or "bind8" package
 (see above), upgrade it according to the solution below.

Workaround:
 Because disabling recursion or disabling DNSSEC is a workaround to only a
 subset of the aforementioned problems, it is not a recommended aproach.

Solution:
 Since these vulnerabilities do not exist in BIND version 9.2.1, one solution
 simply involves upgrading to it. The packages bind-9.2.1-1.1.0 in OpenPKG
 1.1 [5], and bind-9.2.1-20021111 in OpenPKG CURRENT [6] are both candidates
 in this respect. Be warned that although such later versions of BIND are
 stable, there exist large differences between BIND 8 and BIND 9 software.

  A lighter approach involves updating existing packages to newly patched
 versions of BIND 8. Select the updated source RPM appropriate
 for your OpenPKG release [7][8][9], and fetch it from the OpenPKG FTP service
 or a mirror location. Verify its integrity [10], build a corresponding
 binary RPM from it and update your OpenPKG installation by applying the
 binary RPM [11]. For the latest OpenPKG 1.1 release, perform the following
 operations to permanently fix the security problem (for other releases
 adjust accordingly).

  $ftpftp.openpkg.orgftp>binftp>cdrelease/1.1/UPDftp>getbind8-8.3.3-1.1.1.src.rpmftp>bye$ <prefix>/bin/rpm -v --checksig bind8-8.3.3-1.1.1.src.rpm
 $<prefix>/bin/rpm--rebuildbind8-8.3.3-1.1.1.src.rpm$ su -
 # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/bind8-8.3.3-1.1.1.*.rpm
 # <prefix>/etc/rc bind8 stop start
________________________________________________________________________

References:
 [1]  http://www.isc.org/
 [2]  http://www.isc.org/products/BIND/
 [3]  http://www.cert.org/advisories/CA-2002-31.html
 [4]  http://www.isc.org/products/BIND/bind-security.html
 [5]  ftp://ftp.openpkg.org/release/1.1/SRC/bind-9.2.1-1.1.0.src.rpm
 [6]  ftp://ftp.openpkg.org/current/SRC/bind-9.2.1-20021111.src.rpm
 [7]  ftp://ftp.openpkg.org/release/1.0/UPD/bind-8.2.6-1.0.2.src.rpm
 [8]  ftp://ftp.openpkg.org/release/1.1/UPD/bind8-8.3.3-1.1.1.src.rpm
 [9]  ftp://ftp.openpkg.org/current/SRC/bind8-8.3.3-20021114.src.rpm
 [10] http://www.openpkg.org/security.html#signature
 [11] http://www.openpkg.org/tutorial.html#regular-source
________________________________________________________________________

For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For example, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>

iEYEARECAAYFAj3VOcwACgkQgHWT4GPEy5/vEACgmA+lr37ybByyTT7Q9ZBgzJAU
rvMAoOZMy6lDJryPLPg1NV+Wn21wE1qA
=gSdl
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Updated:  November 18, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0076

Package name:      bind
Summary:           Remote exploit
Date:              2002-11-15
Affected versions: TSL 1.1, 1.2, 1.5

- --------------------------------------------------------------------------
Package description:
 BIND (Berkeley Internet Name Domain) is an implementation of the DNS
 (Domain Name System) protocols. BIND includes a DNS server (named),
 which resolves host names to IP addresses, and a resolver library
 (routines for applications to use when interfacing with DNS).

Problem description:
 ISS X-Force has found a number of problems in all BIND 8 series up to
 and including 8.2.6 and 8.3.3.  Two of these can cause BIND to crash
 causing a denial of service attack, whereas the last can be used to
 execute arbitary code on the victim.


Action:
 We recommend that all systems with this package installed be upgraded.
 Please note that if you do not need the functionality provided by this
 package, you may want to remove it from your system.


Location:
 All TSL updates are available from
 <URI:http://www.trustix.net/pub/Trustix/updates/>
 <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


About Trustix Secure Linux:
 Trustix Secure Linux is a small Linux distribution for servers. With focus on
 security and stability, the system is painlessly kept safe and up to date
 from day one using swup, the automated software updater.


Automatic updates:
 Users of the SWUP tool can enjoy having updates automatically
 installed using 'swup --upgrade'.

  Get SWUP from:
 <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
 These packages have been available for public testing for some time.
 If you want to contribute by testing the various packages in the
 testing tree, please feel free to share your findings on the
 tsl-discuss mailinglist.
 The testing tree is located at
 <URI:http://www.trustix.net/pub/Trustix/testing/>
 <URI:ftp://ftp.trustix.net/pub/Trustix/testing/>


Questions?
 Check out our mailing lists:
 <URI:http://www.trustix.net/support/>


Verification:
 This advisory along with all TSL packages are signed with the TSL sign key.
 This key is available from:
 <URI:http://www.trustix.net/TSL-GPG-KEY>

  The advisory itself is available from the errata pages at
 <URI:http://www.trustix.net/errata/trustix-1.2/> and
 <URI:http://www.trustix.net/errata/trustix-1.5/>
 or directly at
 <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0076-bind.asc.txt>


MD5sums of the packages:
- --------------------------------------------------------------------------
7ca823f5bdcda62354971ba527659f8f  ./1.1/RPMS/bind-8.2.6-2tr.i586.rpm
97e22862a18c94181f004b2961474a61  ./1.1/RPMS/bind-devel-8.2.6-2tr.i586.rpm
1b3924c34061398f64906a41bc4e103e  ./1.1/RPMS/bind-utils-8.2.6-2tr.i586.rpm
9b353d2f2beef989a4d34fa9fd04cc30  ./1.1/SRPMS/bind-8.2.6-2tr.src.rpm
979d763efbec95a6104b8df307a52ab2  ./1.2/RPMS/bind-8.2.6-2tr.i586.rpm
a219f2f92ea9f4cccb74c4ac9fcc8f69  ./1.2/RPMS/bind-devel-8.2.6-2tr.i586.rpm
cc97ab8e12caaff576063d150d7216e7  ./1.2/RPMS/bind-utils-8.2.6-2tr.i586.rpm
9b353d2f2beef989a4d34fa9fd04cc30  ./1.2/SRPMS/bind-8.2.6-2tr.src.rpm
aa38424ba1671b811aec3265e3764390  ./1.5/RPMS/bind-8.2.6-2tr.i586.rpm
74a18eed135150b64f62fb398d823175  ./1.5/RPMS/bind-devel-8.2.6-2tr.i586.rpm
74b1f15664668fcfa0da9b52f55d7745  ./1.5/RPMS/bind-utils-8.2.6-2tr.i586.rpm
9b353d2f2beef989a4d34fa9fd04cc30  ./1.5/SRPMS/bind-8.2.6-2tr.src.rpm
- --------------------------------------------------------------------------


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE92NuHwRTcg4BxxS0RAraRAJ0Q+GDhIUUv0gbgv91q1ZmnFqkTHACfaRST
KUB6bSTouOiksfknm0Mc/6I=
=brw5
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.