Software Engineering Institute

Notified:  November 12, 2000 Updated: May 16, 2001

Status

Affected

Vendor Statement

   The Advisory [is] available [at]:

    http://www.calderasystems.com/support/security/advisories/CSSA-2000-040.0.txt

    Updated packages will be available from

    OpenLinux Desktop 2.3
      ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current
      9d8429f25c5fb3bebe2d66b1f9321e61  RPMS/bind-8.2.2p7-1.i386.rpm
      0e958eb01f40826f000d779dbe6b8cb3  RPMS/bind-doc-8.2.2p7-1.i386.rpm
      866ff74c77e9c04a6abcddcc11dbe17b  RPMS/bind-utils-8.2.2p7-1.i386.rpm
      6a545924805effbef01de74e34ba005e  SRPMS/bind-8.2.2p7-1.src.rpm

    OpenLinux eServer 2.3
      ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current
      379c4328604b4491a8f3d0de44e42347  RPMS/bind-8.2.2p7-1.i386.rpm
      b428b824c8b67f2d8d4bf53738a3e7e0  RPMS/bind-doc-8.2.2p7-1.i386.rpm
      28311d630281976a870d38abe91f07fb  RPMS/bind-utils-8.2.2p7-1.i386.rpm
      6a545924805effbef01de74e34ba005e  SRPMS/bind-8.2.2p7-1.src.rpm

    OpenLinux eDesktop 2.4
      ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current
      c37b6673cc9539e592013ac114846940  RPMS/bind-8.2.2p7-1.i386.rpm
      bbe0d7e317fde0d47cba1384f6d4b635  RPMS/bind-doc-8.2.2p7-1.i386.rpm
      5c28dd5641a4550c03e9859d945a806e  RPMS/bind-utils-8.2.2p7-1.i386.rpm
      6a545924805effbef01de74e34ba005e  SRPMS/bind-8.2.2p7-1.src.rpm

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  November 12, 2000 Updated: May 16, 2001

Status

Affected

Vendor Statement

......................................................................

 COMPAQ COMPUTER CORPORATION

......................................................................
  CERT-2000-20 - BIND 8 The "zxfr bug"  
                              X-REF: SSRT1-38U, CERT-2000-20
......................................................................
       Compaq Tru64 UNIX V5.1  -        
                                   patch:  SSRT1-66U_v5.1.tar.Z      

       Compaq Tru64 UNIX V5.0  & V5.0a -
                            V5.0   patch: SSRT1-68U_v5.0.tar.Z      
                            V5.0a patch: SSRT1-68U_v5.0a.tar.Z    

       Compaq Tru64 UNIX V4.0D/F/G              - Not Vulnerable
       TCP/IP Services for Compaq OpenVMS - Not Vulnerable

......................................................................
CERT02000-20 - BIND 8 The "srv bug"
                             X-REF: SSRT1-38U, CERT CA2000-20
......................................................................
       Compaq Tru64 UNIX V5.1  -        
                                   patch: SSRT1-66U_v5.1.tar.Z    

       Compaq Tru64 UNIX V5.0 &  V5.0a  -
                            V5.0   patch: SSRT1-68U_v5.0.tar.Z      
                            V5.0a patch: SSRT1-68U_v5.0a.tar.Z    

       Compaq Tru64 UNIX V4.0D/F/G              - Not Vulnerable
       TCP/IP Services for Compaq OpenVMS - Not Vulnerable

 Compaq will provide notice of the completion/availability
 of the patches through AES services (DIA, DSNlink FLASH),
 the ** Security mailing list, and be available from your
 normal Compaq Support channel.
               **You may subscribe to the Security mailing list at:
             
http://www.support.compaq.com/patches/mailing-list.shtml

 Software Security Response Team
 COMPAQ COMPUTER CORPORATION
......................................................................

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Compaq Tru64 Unix was reported as being not vulnerable when CA-2000-20 was initially launched.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Updated:  May 16, 2001

Status

Affected

Vendor Statement

Please see Conectiva Linux Security Announcement CLSA-2000:338 at:

http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000338

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please note that the updated BIND packages referred to in CLSA-2000:338 contain a packaging error which renders named inoperable. Conectiva has published CLSA-2000:339 as an update to CLSA-2000:338. For further information, please visit:

Notified:  November 12, 2000 Updated: May 11, 2001

Status

Affected

Vendor Statement

HP is vulnerable to the SRV issue and patches are available, see HP Security Bulletin #144.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

To locate this HP Security Bulletin online, please visit http://itrc.hp.com and search for "HPSBUX0102-144". Please note that registration may be required to access this document.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  November 12, 2000 Updated: May 11, 2001

Status

Affected

Vendor Statement

IBM has reported to the CERT/CC that AIX is vulnerable to the bugs described in this document. IBM initially released an e-patch in APAR IY14512.

IBM has posted an e-fix for the BIND denial-of-service vulnerabilities to ftp.software.ibm.com/aix/efixes/security. See the README file in this ftp directory for additional information.

Also, IBM has posted an e-fix to this same site that contains libc.a library that incorporates a fix to the BIND vulnerabilities and the recent locale subsystem format string vulnerability discovered by Ivan Arce of CORE, and discussed on Bugtraq. The e-fix for BIND must be downloaded and installed before implementing this e-fix. See the same README file for details.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  November 12, 2000 Updated: November 13, 2000

Status

Affected

Vendor Statement

NetBSD is believed to be vulnerable to these problems; in response,

NetBSD-current has been upgraded to 8.2.2-P7 and 8.2.2-P7 will be
present in the forthcoming NetBSD 1.5 release.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.