Overview
DNS stub resolvers from multiple vendors contain a buffer overflow vulnerability. The impact of this vulnerability appears to be limited to denial of service.
Description
A read buffer overflow vulnerability exists in BIND 4 and BIND 8.2.x stub resolver libraries. Other resolver libraries derived from BIND 4 are also affected, including BSD libc, GNU/Linux glibc, and System 5 UNIX libresolv. This vulnerability is similar in scope to VU#803539 and VU#542971, which are referenced by CERT Advisory CA-2002-19. The name server itself, named, is not affected. The vulnerability exists in DNS stub resolver libraries that are used by network applications to obtain host or network information, typically host names and IP addresses. For example, when a web browser attempts to access http://www.cert.org/, it calls functions in a DNS stub resolver library in order to determine an IP address for www.cert.org. |
Impact
An attacker who is able to send DNS responses to a vulnerable system could cause a denial of service, crashing the application that made calls to a vulnerable resolver library. It does not appear that this vulnerability can be leveraged to execute arbitrary code. There may be some risk of information disclosure if a vulnerable system returns the contents of memory adjacent to a DNS response. |
Solution
Patch or Upgrade |
Local Caching DNS Server Not Effective |
Vendor Information
Conectiva Affected
Notified: August 15, 2002 Updated: November 08, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please reference the following Conectiva Linux Announcements (English): CLSA-2002:535 (glibc) and CLSA-2002:531 (fetchmail).
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Affected
Notified: August 15, 2002 Updated: November 08, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Most Linux distributions include the GNU glibc library that contains vulnerable DNS resolver functions. Debian Security Advisory DSA-178 (superseded by DSA-185) addresses this issue in Heimdal Kerberos. See also:
http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.2l-7.6.diff.gz
Debian Security Advisory DSA-171 addresses this issue in fetchmail.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fetchmail Affected
Updated: October 18, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD Affected
Notified: August 15, 2002 Updated: November 13, 2002
Status
Affected
Vendor Statement
Please see FreeBSD-SA-02:42.resolv.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Affected
Notified: August 15, 2002 Updated: October 16, 2002
Status
Affected
Vendor Statement
Fujitsu's UXP/V operating system is vulnerable to the bug reported in VU#738331.
Bug fixes are currently being developed and will be available in November, 2002.
The bug fix no. for UXP/V V20L10 is UX28292.
The bug fix no. for UXP/V V10L20 is UX15055.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
GNU glibc Affected
Notified: August 15, 2002 Updated: October 16, 2002
Status
Affected
Vendor Statement
Version 2.2.5 of the GNU C Library is vulnerable. The following patch has been installed into the CVS sources, and should appear in the next version.
2002-09-04 Roland McGrath <roland@redhat.com>
* resolv/nss_dns/dns-network.c (MAXPACKET): Increase minimum value
from 1024 to 65536, to avoid buffer overrun.
2002-08-24 Ulrich Drepper <drepper@redhat.com>
* resolv/nss_dns/dns-host.c (MAXPACKET): Likewise.
2002-08-16 Paul Eggert <eggert@twinsun.com>
* resolv/gethnamaddr.c (MAXPACKET): Likewise.
* resolv/res_query.c (MAXPACKET): Likewise.
===================================================================
RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-network.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- libc/resolv/nss_dns/dns-network.c 2002/08/26 06:20:05 1.12
+++ libc/resolv/nss_dns/dns-network.c 2002/09/05 01:23:06 1.13
@@ -70,10 +70,10 @@
#define MAX_NR_ALIASES 48
-#if PACKETSZ > 1024
-#define MAXPACKET PACKETSZ
+#if PACKETSZ > 65536
+# define MAXPACKET PACKETSZ
#else
-#define MAXPACKET 1024
+# define MAXPACKET 65536
#endif
===================================================================
RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-host.c,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- libc/resolv/nss_dns/dns-host.c 2002/08/03 03:42:06 1.32
+++ libc/resolv/nss_dns/dns-host.c 2002/08/24 22:29:11 1.33
@@ -92,10 +92,10 @@
#define MAX_NR_ALIASES 48
#define MAX_NR_ADDRS 48
-#if PACKETSZ > 1024
+#if PACKETSZ > 65536
# define MAXPACKET PACKETSZ
#else
-# define MAXPACKET 1024
+# define MAXPACKET 65536
#endif
/* As per RFC 1034 and 1035 a host name cannot exceed 255 octets in length. */
#ifdef MAXHOSTNAMELEN
===================================================================
RCS file: /cvs/glibc/libc/resolv/gethnamaddr.c,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- libc/resolv/gethnamaddr.c 2002/08/03 03:40:54 1.39
+++ libc/resolv/gethnamaddr.c 2002/08/24 22:29:11 1.40
@@ -115,10 +115,10 @@
extern void addrsort __P((char **, int));
#endif
-#if PACKETSZ > 1024
+#if PACKETSZ > 65536
#define MAXPACKET PACKETSZ
#else
-#define MAXPACKET 1024
+#define MAXPACKET 65536
#endif
/* As per RFC 1034 and 1035 a host name cannot exceed 255 octets in length. */
===================================================================
RCS file: /cvs/glibc/libc/resolv/res_query.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- libc/resolv/res_query.c 2001/01/08 17:55:24 1.16
+++ libc/resolv/res_query.c 2002/08/24 22:29:11 1.17
@@ -85,10 +85,10 @@
/* Options. Leave them on. */
/* #undef DEBUG */
-#if PACKETSZ > 1024
+#if PACKETSZ > 65536
#define MAXPACKET PACKETSZ
#else
-#define MAXPACKET 1024
+#define MAXPACKET 65536
#endif
/*
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Guardian Digital Inc. Affected
Notified: August 15, 2002 Updated: October 10, 2002
Status
Affected
Vendor Statement
See ESA-20021003-021.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Most Linux distributions include the GNU glibc library that contains vulnerable DNS resolver functions.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Affected
Notified: August 15, 2002 Updated: April 15, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
HP Secure OS Software for Linux is affected. Please reference the following documents: HPSBTL0210-071 (fetchmail), HPSBTL0210-070 (nss_ldap), and HPSBTL0210-069/HPSBTL0211-0075 (glibc).
See also HPSBUX0208-209/SSRT2316.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hitachi Affected
Notified: August 27, 2002 Updated: November 08, 2002
Status
Affected
Vendor Statement
DNS resolver included in GR2000 router is potentially vulnerable to this problem. All ROUTE-OS software from the version 02-03 is affected. Below is the release schedule for the fixed version of software.
Fixed software version : 06-05-/E
Release date : September 12, 2002
Please see
http://www.hitachi.co.jp/Prod/comp/network/notice/20020911_0_E.html
for more information.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Affected
Notified: August 15, 2002 Updated: October 16, 2002
Status
Affected
Vendor Statement
The AIX operating system is vulnerable to a buffer overflow in the res_nsend() resolver function, as mentioned above, in releases 4.3.3 and 5.1.0. This problem was discovered and fixed earlier while investigating a core dump from the "host" command.
The following APAR's are available for this fix:
AIX 4.3.3: IY31886
AIX 5.1.0: IY31889
The APAR's can be downloaded by going to the following URL, then following the links for your system release level.
http://techsupport.services.ibm.com/servers/fixes?view=pseries
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
ISC Affected
Updated: October 16, 2002
Status
Affected
Vendor Statement
Internet Software Consortium Security Advisary.
LIBBIND/LIBRESOLV: Denial of Service.
8 August 2002
Versions affected:
BIND 4 prior to 4.9.10
BIND 8 prior to 8.2.5
Severity: SERIOUS
Exploitable: Remotely
Type: Denial of service
Description:
When looking up address (gethostbyname(), gethostbyaddr()
etc.) a less than maximum sized buffer is passed to
res_search() / res_query(). If the answer is too large
to fit in the buffer the size of buffer required is
returned along with the part of the message that will fit.
This value is not checked and is passed to getanswer which
then may read past the end of the buffer depending up the
contents in the answer section.
THIS DOES NOT AFFECT THE NAMESERVER.
THIS CAN BE TRANSMITTED THROUGH CACHES.
BIND 9 is NOT affected.
BIND 8.3.x is NOT affected.
This bug may exist in other applications that call the
DNS directly.
Workarounds:
None. Upgrade and re-linking required.
Impact:
Applications linked against vulnerable versions of the
libraries may die with segmentation violations /
bus errors.
Fix:
Upgrade to BIND 4.9.10 or preferably BIND 8.3.3.
BIND 4 is officially deprecated. Only security
fixes will be issued for BIND 4.
http://www.isc.org/products/BIND
For application writers. Use a maximum sized buffer (64k),
be prepared to redo the calls res_search(), res_query(),
res_send(), res_nsearch(), res_nquery() and res_send()
with a bigger buffer or take the minimum of the answer
buffer size and the value returned by these calls and
be aware that the answer is truncated.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Juniper Networks Affected
Notified: August 15, 2002 Updated: October 16, 2002
Status
Affected
Vendor Statement
Juniper Networks has determined that its JUNOS Internet Software, used on the M- and T-series of router products, is susceptible to this vulnerability in versions 5.2R1.4, 5.2R2.3, 5.2R3.4, 5.2R4.4, 5.3R1.2, 5.3R2.4, 5.3R3.3, and 5.4R1.4. Customers should contact Juniper or their Juniper reseller to obtain an updated version of JUNOS software.
Juniper Networks has determined that the operating software used on the ERX router products is not susceptible to this vulnerability. No software upgrade is required. However, the SDX-300 Service Deployment system may be susceptible if it is installed on a susceptible host platform. Users of SDX-300 should contact their host operating system vendor regarding this advisory.
The Juniper Networks G10 CMTS product is not susceptible to this vulnerability. No upgrade is required.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
KAME Project Affected
Updated: October 01, 2002
Status
Affected
Vendor Statement
The problem was fixed in the KAME tree on August 27, 2002.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MIT Kerberos Development Team Affected
Notified: August 23, 2002 Updated: October 16, 2002
Status
Affected
Vendor Statement
We don't ship a resolver implementation as part of MIT krb5. Our code does call res_search() in a potentially unsafe manner, but seems to only result in a read overrun. Also, it is primarily client-side code that calls res_search(), so denial of service attacks against servers are unlikely.
This will be fixed in an upcoming release of MIT krb5. The MIT Kerberos Team is not issuing a patch at this time, as we believe that the vulnerability is limited to a client-side denial of service.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MandrakeSoft Affected
Notified: August 15, 2002 Updated: November 08, 2002
Status
Affected
Vendor Statement
Mandrake Linux 7.1 and 7.2, which ship with BIND 8.x, already have been updated to BIND version 8.3.3, which is not vulnerable to this problem. Mandrake Linux 8.0 and higher ship with BIND 9.x which is also not vulnerable.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Most Linux distributions include the GNU glibc library that contains vulnerable DNS resolver functions. MandrakeSoft has also released MDKSA-2002:063 (fetchmail) and MDKSA-2002:075 (nss_ldap).
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MetaSolv Software Inc. Affected
Notified: August 15, 2002 Updated: October 01, 2002
Status
Affected
Vendor Statement
The resolver code embedded in the DNS Server (Based on ISC BIND 8.2.3) on both MetaSolv Policy Services 4.1 and 4.2 are open to Vulnerability Note VU#738331. This issue is being tracked by MetaSolv under Case #28230. An upgrade to ISC BIND 8.2.6 and the ISC Sanctioned Patches to 8.2.6 for this advisory have been compiled and applied, and will be available in Policy Services 4.2 Service Pack 1 efix 1. Please contact MetaSolv Global Customer Care (supporthd@metasolv.com) for availability and assistance.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetBSD Affected
Notified: August 15, 2002 Updated: October 10, 2002
Status
Affected
Vendor Statement
See NetBSD Security Advisory SA2002-015 for details.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Nortel Networks Affected
Notified: August 15, 2002 Updated: November 08, 2002
Status
Affected
Vendor Statement
Nortel Networks has determined that NetID version 4.3.1 and later is potentially affected by the vulnerability identified in CERT/CC Vulnerability Note VU#738331; a bulletin and patch are available from the following Nortel Networks support contacts:
North America: 1-8004NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009
Contacts for other regions are available at
www.nortelnetworks.com/help/contact/global/
Optivity NMS is not affected.
The former Nortel Networks product Preside Policy Server divested to MetaSolv Software, Inc. in February 2002 uses BIND 8 and may be potentially affected. Please refer to MetaSolv Software Inc.'s Vendor Statement.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Openwall GNU/*/Linux Affected
Notified: August 15, 2002 Updated: October 16, 2002
Status
Affected
Vendor Statement
Openwall GNU/*/Linux's glibc package was affected. As a workaround, we have applied the patch by Olaf Kirch of SuSE which limits the return value from res_send(3) to be no greater than the provided answer buffer size. This approach has the advantage of reducing the problem for poorly written third-party applications, including those which aren't a part of our distribution. At the same time, checks have also been added to avoid some potential reads beyond end of undersized DNS responses as pointed out by Dmitry V. Levin of ALT Linux. This change will be documented in the system-wide change log:
http://www.openwall.com/Owl/CHANGES.shtml
The BIND 4.9.x Openwall patch (which adds a number of security-related features) has been updated to the upcoming 4.9.10 release and will be made available at:
http://www.openwall.com/bind/
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat Inc. Affected
Notified: August 15, 2002 Updated: November 08, 2002
Status
Affected
Vendor Statement
All supported versions of Red Hat Linux which shipped with vulnerable versions of BIND were updated to BIND 9.x by a previous security errata issued in August 2002 and are therefore not vulnerable to this issue. Users of the Red Hat Network can make sure their systems are updated to this release using the 'up2date' tool.
http://rhn.redhat.com/errata/RHSA-2002-133.html
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Red Hat has also released RHSA-2002:197 (glibc), RHSA-2002:215 (fetchmail), and RHSA-2002:175 (nss_ldap).
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SuSE Inc. Affected
Notified: August 15, 2002 Updated: October 25, 2002
Status
Affected
Vendor Statement
All SuSE versions of bind8 are affected by the bug in res_search/res_query. Fixed packages will be provided at 2002-10-01.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
SuSE Security Announcement SuSE-SA:2002:034 addresses this issue in Heimdal Kerberos.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems Inc. Affected
Notified: August 15, 2002 Updated: November 08, 2002
Status
Affected
Vendor Statement
The Solaris DNS resolver library (libresolv.so) is affected by this issue in the following versions of Solaris:
Solaris 2.5.1, 2.6, 7, and 8
Patches have been generated for all of the above releases. Sun has published Sun Alert 45463 for this issue which is available from:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F45463
The patches for this issue are available from:
http://sunsolve.sun.com/securitypatch
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Xerox Corporation Affected
Notified: August 15, 2002 Updated: April 15, 2003
Status
Affected
Vendor Statement
A response to this vulnerability is available from our web site:
http://www.xerox.com/security/
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Apple Computer Inc. Not Affected
Notified: August 15, 2002 Updated: August 23, 2002
Status
Not Affected
Vendor Statement
Mac OS X and Mac OS X Server do not contain the vulnerability described in this report.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Computer Associates Not Affected
Notified: August 15, 2002 Updated: October 01, 2002
Status
Not Affected
Vendor Statement
We do not ship a resolver implementation or utilize the resolver library calls (i.e., res_*) but do utilize other native calls (e.g., gethostbyname(), gethostbyaddr() etc.) for translations.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
GNU adns Not Affected
Notified: August 15, 2002 Updated: October 03, 2002
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Lucent Technologies Not Affected
Notified: August 15, 2002 Updated: August 21, 2002
Status
Not Affected
Vendor Statement
LMG is not affected by the bind vulnerability. LMG uses BIND 9.2.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Microsoft Corporation Not Affected
Notified: August 15, 2002 Updated: August 23, 2002
Status
Not Affected
Vendor Statement
Microsoft does not use BIND resolver code.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Nixu Not Affected
Notified: September 24, 2002 Updated: October 14, 2002
Status
Not Affected
Vendor Statement
Nixu NameSurfer itself does not contain any parts of the resolver library being discussed, nor does it call the res_* functions directly. However, parts of NameSurfer are dynamically linked with the resolver library on the DNS server machine. Therefore, if the underlying system is vulnerable, the vulnerability propagates also to NameSurfer.
Nixu recommends that the resolver on the DNS server running NameSurfer is upgraded according to ISC's advisory as published by CERT. No further actions are required.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SGI Not Affected
Notified: August 15, 2002 Updated: August 23, 2002
Status
Not Affected
Vendor Statement
SGI uses nsd (UNS name service daemon) as a resolver and it does not appear to be vulnerable as it does not use any of the res_* functions.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Secure Computing Corporation Not Affected
Updated: October 16, 2002
Status
Not Affected
Vendor Statement
SIDEWINDER(tm) FIREWALL & VPN (all releases including SIDEWINDER APPLIANCE)
Not Vulnerable
As part of Sidewinder(tm)'s defense in depth architecture, DNS queries are sandboxed by SecureOS(tm)'s patented Type Enforcement technology. Faults in the resolver library cannot cause a comprimise of the Sidewinder(tm). However, since a Bind 8 caching server can still pass this attack along to vulnerable resolvers, Sidewinder(tm) users who wish to protect vulnerable resolvers behind their firewall from attack should upgrade to version 5.2.1.05, which replaces Bind 8 with Bind 9.
Customers should contact Customer Service to obtain version 5.2.1.05.
Gauntlet and e-ppliance
Both Gauntlet Software and Gauntlet e-ppliance utilize the Bind version that ships with Solaris 8. Please see Solaris 8 response to this vulnerability to assess applicability of any potential DOS risk. Secure Computing will test and make recommendations to customers regarding any potential software changes, if any, published by Sun Microsystems.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
djbdns Not Affected
Notified: August 15, 2002 Updated: October 01, 2002
Status
Not Affected
Vendor Statement
djbdns does not have these bugs. djbdns has never used any BIND-derived code. djbdns, including the djbdns client library, is covered by a $500 security guarantee. The djbdns client library is free for use by other packages in place of BIND's libresolv. See http://cr.yp.to/djbdns.html.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
3Com Unknown
Updated: October 01, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
AT&T Unknown
Notified: August 15, 2002 Updated: October 03, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Alcatel Unknown
Notified: August 15, 2002 Updated: October 01, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
BlueCat Networks Unknown
Notified: August 15, 2002 Updated: October 03, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Check Point Unknown
Notified: August 15, 2002 Updated: April 15, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
<http://www.checkpoint.com/techsupport/documentation/smartdefense/2002/cpai-2002-09.html>
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cisco Systems Inc. Unknown
Notified: August 15, 2002 Updated: October 01, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray Inc. Unknown
Notified: August 15, 2002 Updated: October 01, 2002
Status
Unknown
Vendor Statement
Cray Inc. may be vulnerable and has opened spr 723016 to track this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Data General Unknown
Notified: August 15, 2002 Updated: September 24, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
F5 Networks Unknown
Notified: August 15, 2002 Updated: October 03, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Infoblox Unknown
Notified: August 15, 2002 Updated: October 01, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Intel Unknown
Notified: August 15, 2002 Updated: October 03, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
KTH Kerberos Unknown
Notified: August 23, 2002 Updated: August 24, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Lotus Software Unknown
Notified: September 24, 2002 Updated: October 03, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC Corporation Unknown
Notified: August 15, 2002 Updated: October 16, 2002
Status
Unknown
Vendor Statement
sent on October 4, 2002
[Server Products]
On investigation
[Router Products]
- IX 5000 Series
- IX 1000/2000 Series
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Network Appliance Unknown
Notified: August 15, 2002 Updated: October 03, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Nominum Unknown
Notified: August 15, 2002 Updated: October 01, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenBSD Unknown
Notified: August 15, 2002 Updated: August 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenLDAP Unknown
Notified: August 23, 2002 Updated: August 24, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Oracle Corporation Unknown
Notified: October 01, 2002 Updated: October 01, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sendmail Unknown
Notified: August 15, 2002 Updated: October 03, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sequent Unknown
Notified: August 15, 2002 Updated: October 03, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sony Corporation Unknown
Notified: August 15, 2002 Updated: October 03, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The SCO Group Unknown
Notified: August 15, 2002 Updated: September 24, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisphere Networks Unknown
Notified: August 15, 2002 Updated: October 03, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisys Unknown
Notified: August 15, 2002 Updated: October 03, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Wind River Systems Inc. Unknown
Notified: August 15, 2002 Updated: August 15, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
The CERT/CC thanks Mark Andrews of ISC for reporting this vulnerability.
This document was written by Art Manion.
Other Information
| CVE IDs: | CVE-2002-1146 |
| Severity Metric: | 19.04 |
| Date Public: | 2002-10-01 |
| Date First Published: | 2002-10-01 |
| Date Last Updated: | 2003-04-15 19:39 UTC |
| Document Revision: | 40 |