Apple Not Affected

Notified:  January 18, 2001 Updated: April 05, 2001

Status

Not Affected

Vendor Statement

Apple plans to include BIND 8.2.3 in Mac OS X. BIND is not enabled by default in Mac OS X or Mac OS X Server.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

BSDI Unknown

Notified:  January 18, 2001 Updated: January 26, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Caldera Affected

Notified:  January 18, 2001 Updated: January 29, 2001

Status

Affected

Vendor Statement

OpenLinux 2.3, eServer 2.3.1 and eDesktop 2.4 are all vulnerable. Update packages will be provided at ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3 ftp://ftp.calderasystems.com/pub/updates/eServer/2.3 ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Compaq Computer Corporation Affected

Notified:  January 18, 2001 Updated: April 04, 2001

Status

Affected

Vendor Statement

COMPAQ COMPUTER CORPORATION VU#196945 - BIND 8 contains buffer overflow in transaction signature handling code X-REF: SSRT1-66U, SSRT1-68U Compaq Tru64 UNIX V5.1 - V5.1 patch: SSRT1-66U_v5.1.tar.Z Compaq Tru64 UNIX V5.0 & V5.0a - V5.0 patch: SSRT1-68U_v5.0.tar.Z V5.0a patch: SSRT1-68U_v5.0a.tar.Z Compaq Tru64 UNIX V4.0D/F/G - Not Vulnerable TCP/IP Services for Compaq OpenVMS - Not Vulnerable Compaq will provide notice of the completion/availability of the patches through AES services (DIA, DSNlink FLASH), the Security mailing list (**), and be available from your normal Compaq Support channel. **You may subscribe to the Security mailing list at: http://www.support.compaq.com/patches/mailing-list.shtml Software Security Response Team COMPAQ COMPUTER CORPORATION

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Conectiva Affected

Notified:  January 29, 2001 Updated: April 04, 2001

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Conectiva Linux has made an announcement regarding this vulnerability; for further information, please see: http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000377

Data General Unknown

Notified:  January 18, 2001 Updated: January 26, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Debian Affected

Notified:  January 18, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Debian has made an announcement regarding this vulnerability; for further information, please see: http://www.debian.org/security/2001/dsa-026

FreeBSD Affected

Notified:  January 18, 2001 Updated: May 11, 2001

Status

Affected

Vendor Statement

No supported version of FreeBSD contains BIND 4.x, so this does not affect us. We currently ship betas of 8.2.3 in the FreeBSD 4.x release branch, and will be upgrading to 8.2.3 once it is released.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

FreeBSD has released the following advisory regarding this issue: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:18.bind.asc

Fujitsu Unknown

Notified:  January 18, 2001 Updated: January 26, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Hewlett Packard Not Affected

Notified:  January 18, 2001 Updated: May 10, 2001

Status

Not Affected

Vendor Statement

None of the Bind versions of HP-UX is vulnerable to VU#196945 - problem of buffer overflow in TSIG handling code.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

HP has released a Security Bulletin to address this issue; for further information, please visit http://itrc.hp.com and search for "HPSBUX0102-144". Please note that registration may be required to access this document.

IBM Affected

Notified:  January 18, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

[A fix for this vulnerability] can be downloaded from ftp://ftp.software.ibm.com/aix/efixes/security. The compressed tarfile is multiple_bind_vulns_efix.tar.Z. Installation instructions and other important information are given in the README file that is included in the tarball. The official fix for the four BIND4 and BIND8 vulnerabilities will be in APAR #IY16182. AIX Security Response Team IBM Austin

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Immunix Affected

Notified:  January 31, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Immunix has made an announcement regarding this vulnerability; for further information, please see: http://download.immunix.org/ImmunixOS/7.0-beta/updates/IMNX-2001-70-001-01

ISC Affected

Notified:  January 05, 2001 Updated: April 04, 2001

Status

Affected

Vendor Statement

Name: "tsig bug" Versions: 8.2, 8.2-P1, 8.2.1, 8.2.2, 8.2.2-P1, 8.2.2-P2, 8.2.2-P3, 8.2.2-P4, 8.2.2-P5, 8.2.2-P6, 8.2.2-P7 and all 8.2.3 betas. Severity: CRITICAL Exploitable: Remotely Type: Access possible Description: It is possible to overflow a buffer handling TSIG signed queries, thereby obtaining access to the system. Workarounds: None. Active Exploits: Exploits for this bug exist. Solution: Upgrade to BIND 8.2.3-REL or preferably BIND 9.1. Credits: Discovery and initial documentation of this vulnerability was conducted by Anthony Osborne and John McDonald of the COVERT Labs at PGP Security.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The ISC has posted this information on their web site at: http://www.isc.org/products/BIND/bind-security.html The source code for ISC BIND can be downloaded from: ftp://ftp.isc.org/isc/bind/src/

MandrakeSoft Affected

Notified:  February 03, 2001 Updated: April 04, 2001

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

MandrakeSoft has made an announcement regarding this vulnerability; for further information, please see: http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-017.php3

Microsoft Not Affected

Notified:  January 18, 2001 Updated: January 30, 2001

Status

Not Affected

Vendor Statement

Microsoft's implementation of DNS is not based on BIND, and is not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NEC Unknown

Notified:  January 18, 2001 Updated: January 27, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NetBSD Affected

Notified:  January 18, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see NetBSD-SA2001-001, "Security vulnerabilities in BIND" at: ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/advisories/NetBSD-SA2001-001.txt.asc

NeXT Unknown

Notified:  January 18, 2001 Updated: January 27, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenBSD Not Affected

Notified:  January 18, 2001 Updated: January 30, 2001

Status

Not Affected

Vendor Statement

So we are pretty impressed with ourselves, since it looks like none of these BIND bugs affected us. In '97, a couple of us did some sprintf->snprintf whacking. Probably took about 3 minutes.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

RedHat Affected

Notified:  January 18, 2001 Updated: April 04, 2001

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

RedHat has released an advisory regarding this vulnerability; for further information, please see RHSA-2001-007 and associated bug reports at: http://www.redhat.com/support/errata/RHSA-2001-007.html http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=25209

SCO Affected

Notified:  January 18, 2001 Updated: May 01, 2002

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Caldera UNIX has published Security Advisory CSSA-2002-SCO.16 to address this issue in their UnixWare product line. For more information, please see: ftp://stage.caldera.com/pub/security/unixware/CSSA-2002-SCO.16/CSSA-2002-SCO.16.txt

Sequent Unknown

Notified:  January 18, 2001 Updated: January 27, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SGI Unknown

Notified:  January 18, 2001 Updated: April 27, 2001

Status

Unknown

Vendor Statement

SGI's IRIX (tm) operating system contains base BIND 4.9.7 with SGI modifications. IRIX BIND 4.9.7 is vulnerable to buffer overflow in nslookupComplain(). Patches are forth coming and will be released with an advisory to http://www.sgi.com/support/security/ when available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SGI has released an advisory regarding this vulnerability. For further information, please visit ftp://patches.sgi.com/support/free/security/advisories/20010401-01-P

Siemens Nixdorf Unknown

Notified:  January 18, 2001 Updated: January 27, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Slackware Affected

Notified:  February 03, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Slackware has made an announcement regarding this vulnerability; for further information, please see: http://www.slackware.com/lists/archive/viewer.php?l=slackware-security&y=2001&m=slackware-security.247721

Sony Unknown

Notified:  January 18, 2001 Updated: January 27, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sun Affected

Notified:  January 18, 2001 Updated: August 07, 2001

Status

Affected

Vendor Statement

CERT Advisory CA-2001-02 describes four vulnerabilities in certain versions of BIND. The four vulnerabilities are listed below along with the affected versions of Solaris and the version of BIND shipped with each version of Solaris. VU#196945 - ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code Solaris 8 04/01* (BIND 8.2.2-p5) Solaris 8 Maintenance Update 4* (BIND 8.2.2-p5) VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain() Solaris 2.6 (BIND 4.9.4-P1) Solaris 2.5.1** (BIND 4.9.3) VU#868916 - ISC BIND 4 contains input validation error in nslookupComplain() Solaris 2.6 (BIND 4.9.4-P1) Solaris 2.5.1** (BIND 4.9.3) VU#325431 - Queries to ISC BIND servers may disclose environment variables Solaris 2.4, 2.5 (BIND 4.8.3) Solaris 2.5.1** (BIND 4.9.3 and BIND 4.8.3) Solaris 2.6 (BIND 4.9.4-P1) Solaris 7 and 8 (BIND 8.1.2) * To determine if one is running Solaris 8 04/01 or Solaris 8 Maintenance Update 4, check the contents of the /etc/release file. ** Solaris 2.5.1 ships with BIND 4.8.3 but patch 103663-01 for SPARC and 103664-01 for x86 upgrades BIND to 4.9.3, current revision for each patch is -17. List of Patches The following patches are available in relation to the above problems. OS Version Patch ID SunOS 5.8 109326-04 SunOS 5.8_x86 109327-04 SunOS 5.7 107018-03 SunOS 5.7_x86 107019-03 SunOS 5.6 105755-10 SunOS 5.6_x86 105756-10 SunOS 5.5.1 103663-16 SunOS 5.5.1_x86 103664-16 SunOS 5.5 103667-12 SunOS 5.5_x86 103668-12 SunOS 5.4 102479-14 SunOS 5.4_x86 102480-12

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

For the full text of Sun Microsystems Security Bulletin #204, please visit http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/204&type=0&nav=sec.sba This document has been archived here

SuSE Affected

Notified:  February 03, 2001 Updated: April 05, 2001

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SuSE has made an announcement regarding this vulnerability; for further information, please see: http://www.suse.com/us/support/security/index.html

Unisys Unknown

Notified:  January 18, 2001 Updated: January 27, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

View all 29 vendors View less vendors