Notified: November 12, 2000 Updated: May 16, 2001
Affected
The Advisory [is] available [at]: http://www.calderasystems.com/support/security/advisories/CSSA-2000-040.0.txt Updated packages will be available from OpenLinux Desktop 2.3 ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current 9d8429f25c5fb3bebe2d66b1f9321e61 RPMS/bind-8.2.2p7-1.i386.rpm 0e958eb01f40826f000d779dbe6b8cb3 RPMS/bind-doc-8.2.2p7-1.i386.rpm 866ff74c77e9c04a6abcddcc11dbe17b RPMS/bind-utils-8.2.2p7-1.i386.rpm 6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm OpenLinux eServer 2.3 ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current 379c4328604b4491a8f3d0de44e42347 RPMS/bind-8.2.2p7-1.i386.rpm b428b824c8b67f2d8d4bf53738a3e7e0 RPMS/bind-doc-8.2.2p7-1.i386.rpm 28311d630281976a870d38abe91f07fb RPMS/bind-utils-8.2.2p7-1.i386.rpm 6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm OpenLinux eDesktop 2.4 ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current c37b6673cc9539e592013ac114846940 RPMS/bind-8.2.2p7-1.i386.rpm bbe0d7e317fde0d47cba1384f6d4b635 RPMS/bind-doc-8.2.2p7-1.i386.rpm 5c28dd5641a4550c03e9859d945a806e RPMS/bind-utils-8.2.2p7-1.i386.rpm 6a545924805effbef01de74e34ba005e SRPMS/bind-8.2.2p7-1.src.rpm
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: November 12, 2000 Updated: May 16, 2001
Affected
COMPAQ COMPUTER CORPORATION CERT-2000-20 - BIND 8 The "zxfr bug" X-REF: SSRT1-38U, CERT-2000-20 Compaq Tru64 UNIX V5.1 - patch: SSRT1-66U_v5.1.tar.Z Compaq Tru64 UNIX V5.0 & V5.0a - V5.0 patch: SSRT1-68U_v5.0.tar.Z V5.0a patch: SSRT1-68U_v5.0a.tar.Z Compaq Tru64 UNIX V4.0D/F/G - Not Vulnerable TCP/IP Services for Compaq OpenVMS - Not Vulnerable CERT02000-20 - BIND 8 The "srv bug" X-REF: SSRT1-38U, CERT CA2000-20 Compaq Tru64 UNIX V5.1 - patch: SSRT1-66U_v5.1.tar.Z Compaq Tru64 UNIX V5.0 & V5.0a - V5.0 patch: SSRT1-68U_v5.0.tar.Z V5.0a patch: SSRT1-68U_v5.0a.tar.Z Compaq Tru64 UNIX V4.0D/F/G - Not Vulnerable TCP/IP Services for Compaq OpenVMS - Not Vulnerable Compaq will provide notice of the completion/availability of the patches through AES services (DIA, DSNlink FLASH), the ** Security mailing list, and be available from your normal Compaq Support channel. **You may subscribe to the Security mailing list at: http://www.support.compaq.com/patches/mailing-list.shtml Software Security Response Team COMPAQ COMPUTER CORPORATION
The vendor has not provided us with any further information regarding this vulnerability.
Compaq Tru64 Unix was reported as being not vulnerable when CA-2000-20 was initially launched.
Updated: May 16, 2001
Affected
Please see Conectiva Linux Security Announcement CLSA-2000:338 at: http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000338
The vendor has not provided us with any further information regarding this vulnerability.
Please note that the updated BIND packages referred to in CLSA-2000:338 contain a packaging error which renders named inoperable. Conectiva has published CLSA-2000:339 as an update to CLSA-2000:338. For further information, please visit: http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000339
Updated: May 16, 2001
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Debian has released vendor-specific information regarding this vulnerability at: http://www.debian.org/security/2000/20001112
Notified: November 12, 2000 Updated: May 11, 2001
Not Affected
All versions of FreeBSD after 4.0-RELEASE (namely 4.1-RELEASE, 4.1.1-RELEASE and the forthcoming 4.2-RELEASE) are not vulnerable to this bug since they include versions of BIND 8.2.3. FreeBSD 4.0-RELEASE and earlier are vulnerable to the reported problems since they include an older version of BIND, and an update to a non-vulnerable version is scheduled to be committed to FreeBSD 3.5.1-STABLE in the next few days.
The vendor has not provided us with any further information regarding this vulnerability.
FreeBSD has released the following advisory regarding this issue: ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:10.bind.asc
Notified: November 12, 2000 Updated: May 11, 2001
Not Affected
Fujitsu's UXP/V is not vulnerable to these bugs because we support a different version of BIND.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: November 12, 2000 Updated: May 11, 2001
Affected
HP is vulnerable to the SRV issue and patches are available, see HP Security Bulletin #144.
The vendor has not provided us with any further information regarding this vulnerability.
To locate this HP Security Bulletin online, please visit http://itrc.hp.com and search for "HPSBUX0102-144". Please note that registration may be required to access this document.
Notified: November 12, 2000 Updated: May 11, 2001
Affected
IBM has reported to the CERT/CC that AIX is vulnerable to the bugs described in this document. IBM initially released an e-patch in APAR IY14512. IBM has posted an e-fix for the BIND denial-of-service vulnerabilities to ftp.software.ibm.com/aix/efixes/security. See the README file in this ftp directory for additional information. Also, IBM has posted an e-fix to this same site that contains libc.a library that incorporates a fix to the BIND vulnerabilities and the recent locale subsystem format string vulnerability discovered by Ivan Arce of CORE, and discussed on Bugtraq. The e-fix for BIND must be downloaded and installed before implementing this e-fix. See the same README file for details.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: May 16, 2001
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: November 13, 2000
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: November 13, 2000
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see MDKSA-2000:067: bind at: http://www.linux-mandrake.com/en/security/MDKSA-2000-067.php3
Notified: November 12, 2000 Updated: November 14, 2000
Not Affected
We have had a chance to investigate these issues and we are not-vulnerable. This includes both Windows 2000 and Windows NT 4.0.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: November 12, 2000 Updated: November 13, 2000
Affected
NetBSD is believed to be vulnerable to these problems; in response, NetBSD-current has been upgraded to 8.2.2-P7 and 8.2.2-P7 will be present in the forthcoming NetBSD 1.5 release.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: November 12, 2000 Updated: November 13, 2000
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see RHSA-2000:107-01: Updated bind packages fixing DoS attack available at: http://www.redhat.com/support/errata/RHSA-2000-107-01.html [ not available as of 11/13/2000, 1200 UTC-0500 ]
Updated: November 13, 2000
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Updated Slackware distributions for bind may be found at: ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/bind.tgz
Notified: November 16, 2000 Updated: May 11, 2001
Affected
SuSE Linux has published a Security Announcement (below) regarding this vulnerability. For the latest version of this advisory, please visit: http://www.suse.com/de/support/security/2000_045_bind8_txt.txt
The vendor has not provided us with any further information regarding this vulnerability.
SuSE Security Announcement: bind8 (SuSE-SA:2000:45)
-----BEGIN PGP SIGNED MESSAGE----- SuSE Security Announcement Package: bind8
Announcement-ID: SuSE-SA:2000:45
Date: Thursday, November 16th, 2000 16:00 MEST
Affected SuSE versions: 6.0, 6.1, 6.2, 6.3, 6.4
Vulnerability Type: remote denial of service
Severity (1-10): 7
SuSE default package: no
Other affected systems: all systems using bind, version 8.2.2 before
patchlevel 7 Content of this advisory: 1) security vulnerability resolved: bind8
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information) 1) problem description, brief discussion, solution, upgrade information BIND, the Berkeley Internet Name Daemon, versions before 8.2.2p7, has
been found vulnerable to two denial of service attacks: named may crash
after a compressed zone transfer request (ZXFR) and if an SRV record
(defined in RFC2782) is sent to the server. Administrators testing
the ZXFR bug should be aware that it can take several seconds after
the triggering the bug until the nameserver daemon crashes. SuSE versions 6.0 through 6.4 are affected by these two problems. The bind8 package in SuSE-7.0 is not affected because a different
version of bind8 (8.2.3) was used in this distribution. By the release
time of the SuSE-7.0 distribution our engineers have determined that
the problems we had with stalling zone transfers under some obscure
conditions were not present with the 8.2.3 release of the package. Administrators are strongly recommended to upgrade their bind8 package
using the provided packages from the sources below. There is a
temporary fix for the ZXFR problem (disable zone transfers) but none
for the SRV record problem. For the latest information about security vulnerabilities in the bind
name server consider the Internet Software Consortium bind security
webpage at http://www.isc.org/products/BIND/bind-security.html . To check if your system has the vulnerable package installed, use the
command `rpm -q
Notified: November 16, 2000 Updated: May 16, 2001
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.