3Com Unknown

Updated:  October 01, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Alcatel Unknown

Notified:  August 15, 2002 Updated: October 01, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Apple Computer Inc. Not Affected

Notified:  August 15, 2002 Updated: August 23, 2002

Status

Not Affected

Vendor Statement

Mac OS X and Mac OS X Server do not contain the vulnerability described in this report.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

AT&T Unknown

Notified:  August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

BlueCat Networks Unknown

Notified:  August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Check Point Unknown

Notified:  August 15, 2002 Updated: April 15, 2003

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Cisco Systems Inc. Unknown

Notified:  August 15, 2002 Updated: October 01, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Computer Associates Not Affected

Notified:  August 15, 2002 Updated: October 01, 2002

Status

Not Affected

Vendor Statement

We do not ship a resolver implementation or utilize the resolver library calls (i.e., res_*) but do utilize other native calls (e.g., gethostbyname(), gethostbyaddr() etc.) for translations.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Conectiva Affected

Notified:  August 15, 2002 Updated: November 08, 2002

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please reference the following Conectiva Linux Announcements (English): CLSA-2002:535 (glibc) and CLSA-2002:531 (fetchmail).

Cray Inc. Unknown

Notified:  August 15, 2002 Updated: October 01, 2002

Status

Unknown

Vendor Statement

Cray Inc. may be vulnerable and has opened spr 723016 to track this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Data General Unknown

Notified:  August 15, 2002 Updated: September 24, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Debian Affected

Notified:  August 15, 2002 Updated: November 08, 2002

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Most Linux distributions include the GNU glibc library that contains vulnerable DNS resolver functions. Debian Security Advisory DSA-178 (superseded by DSA-185) addresses this issue in Heimdal Kerberos. See also: http://security.debian.org/pool/updates/main/h/heimdal/heimdal_0.2l-7.6.diff.gz Debian Security Advisory DSA-171 addresses this issue in fetchmail.

djbdns Not Affected

Notified:  August 15, 2002 Updated: October 01, 2002

Status

Not Affected

Vendor Statement

djbdns does not have these bugs. djbdns has never used any BIND-derived code. djbdns, including the djbdns client library, is covered by a $500 security guarantee. The djbdns client library is free for use by other packages in place of BIND's libresolv. See http://cr.yp.to/djbdns.html.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

F5 Networks Unknown

Notified:  August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Fetchmail Affected

Updated:  October 18, 2002

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

FreeBSD Affected

Notified:  August 15, 2002 Updated: November 13, 2002

Status

Affected

Vendor Statement

Please see FreeBSD-SA-02:42.resolv.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Fujitsu Affected

Notified:  August 15, 2002 Updated: October 16, 2002

Status

Affected

Vendor Statement

Fujitsu's UXP/V operating system is vulnerable to the bug reported in VU#738331. Bug fixes are currently being developed and will be available in November, 2002. The bug fix no. for UXP/V V20L10 is UX28292. The bug fix no. for UXP/V V10L20 is UX15055.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

GNU adns Not Affected

Notified:  August 15, 2002 Updated: October 03, 2002

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

GNU glibc Affected

Notified:  August 15, 2002 Updated: October 16, 2002

Status

Affected

Vendor Statement

Version 2.2.5 of the GNU C Library is vulnerable. The following patch has been installed into the CVS sources, and should appear in the next version. 2002-09-04 Roland McGrath * resolv/nss_dns/dns-network.c (MAXPACKET): Increase minimum value from 1024 to 65536, to avoid buffer overrun. 2002-08-24 Ulrich Drepper * resolv/nss_dns/dns-host.c (MAXPACKET): Likewise. 2002-08-16 Paul Eggert * resolv/gethnamaddr.c (MAXPACKET): Likewise. * resolv/res_query.c (MAXPACKET): Likewise. RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-network.c,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- libc/resolv/nss_dns/dns-network.c 2002/08/26 06:20:05 1.12 +++ libc/resolv/nss_dns/dns-network.c 2002/09/05 01:23:06 1.13 @@ -70,10 +70,10 @@ #define MAX_NR_ALIASES 48 -#if PACKETSZ > 1024 -#define MAXPACKET PACKETSZ +#if PACKETSZ > 65536 +# define MAXPACKET PACKETSZ #else -#define MAXPACKET 1024 +# define MAXPACKET 65536 #endif RCS file: /cvs/glibc/libc/resolv/nss_dns/dns-host.c,v retrieving revision 1.32 retrieving revision 1.33 diff -u -r1.32 -r1.33 --- libc/resolv/nss_dns/dns-host.c 2002/08/03 03:42:06 1.32 +++ libc/resolv/nss_dns/dns-host.c 2002/08/24 22:29:11 1.33 @@ -92,10 +92,10 @@ #define MAX_NR_ALIASES 48 #define MAX_NR_ADDRS 48 -#if PACKETSZ > 1024 +#if PACKETSZ > 65536 # define MAXPACKET PACKETSZ #else -# define MAXPACKET 1024 +# define MAXPACKET 65536 #endif /* As per RFC 1034 and 1035 a host name cannot exceed 255 octets in length. #ifdef MAXHOSTNAMELEN RCS file: /cvs/glibc/libc/resolv/gethnamaddr.c,v retrieving revision 1.39 retrieving revision 1.40 diff -u -r1.39 -r1.40 --- libc/resolv/gethnamaddr.c 2002/08/03 03:40:54 1.39 +++ libc/resolv/gethnamaddr.c 2002/08/24 22:29:11 1.40 @@ -115,10 +115,10 @@ extern void addrsort __P((char **, int)); #endif -#if PACKETSZ > 1024 +#if PACKETSZ > 65536 #define MAXPACKET PACKETSZ #else -#define MAXPACKET 1024 +#define MAXPACKET 65536 #endif /* As per RFC 1034 and 1035 a host name cannot exceed 255 octets in length. RCS file: /cvs/glibc/libc/resolv/res_query.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- libc/resolv/res_query.c 2001/01/08 17:55:24 1.16 +++ libc/resolv/res_query.c 2002/08/24 22:29:11 1.17 @@ -85,10 +85,10 @@ /* Options. Leave them on. /* #undef DEBUG */ -#if PACKETSZ > 1024 +#if PACKETSZ > 65536 #define MAXPACKET PACKETSZ #else -#define MAXPACKET 1024 +#define MAXPACKET 65536 #endif

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Guardian Digital Inc. Affected

Notified:  August 15, 2002 Updated: October 10, 2002

Status

Affected

Vendor Statement

See ESA-20021003-021.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Most Linux distributions include the GNU glibc library that contains vulnerable DNS resolver functions.

Hewlett-Packard Company Affected

Notified:  August 15, 2002 Updated: April 15, 2003

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

HP Secure OS Software for Linux is affected. Please reference the following documents: HPSBTL0210-071 (fetchmail), HPSBTL0210-070 (nss_ldap), and HPSBTL0210-069/HPSBTL0211-0075 (glibc). See also HPSBUX0208-209/SSRT2316.

Hitachi Affected

Notified:  August 27, 2002 Updated: November 08, 2002

Status

Affected

Vendor Statement

DNS resolver included in GR2000 router is potentially vulnerable to this problem. All ROUTE-OS software from the version 02-03 is affected. Below is the release schedule for the fixed version of software. Fixed software version : 06-05-/E Release date : September 12, 2002 Please see http://www.hitachi.co.jp/Prod/comp/network/notice/20020911_0_E.html for more information.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IBM Affected

Notified:  August 15, 2002 Updated: October 16, 2002

Status

Affected

Vendor Statement

The AIX operating system is vulnerable to a buffer overflow in the res_nsend() resolver function, as mentioned above, in releases 4.3.3 and 5.1.0. This problem was discovered and fixed earlier while investigating a core dump from the "host" command. The following APAR's are available for this fix: AIX 4.3.3: IY31886 AIX 5.1.0: IY31889 The APAR's can be downloaded by going to the following URL, then following the links for your system release level. http://techsupport.services.ibm.com/servers/fixes?view=pseries

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Infoblox Unknown

Notified:  August 15, 2002 Updated: October 01, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Intel Unknown

Notified:  August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

ISC Affected

Updated:  October 16, 2002

Status

Affected

Vendor Statement

Internet Software Consortium Security Advisary. LIBBIND/LIBRESOLV: Denial of Service. 8 August 2002 Versions affected: BIND 4 prior to 4.9.10 BIND 8 prior to 8.2.5 Severity: SERIOUS Exploitable: Remotely Type: Denial of service Description: When looking up address (gethostbyname(), gethostbyaddr() etc.) a less than maximum sized buffer is passed to res_search() / res_query(). If the answer is too large to fit in the buffer the size of buffer required is returned along with the part of the message that will fit. This value is not checked and is passed to getanswer which then may read past the end of the buffer depending up the contents in the answer section. THIS DOES NOT AFFECT THE NAMESERVER. THIS CAN BE TRANSMITTED THROUGH CACHES. BIND 9 is NOT affected. BIND 8.3.x is NOT affected. This bug may exist in other applications that call the DNS directly. Workarounds: None. Upgrade and re-linking required. Impact: Applications linked against vulnerable versions of the libraries may die with segmentation violations / bus errors. Fix: Upgrade to BIND 4.9.10 or preferably BIND 8.3.3. BIND 4 is officially deprecated. Only security fixes will be issued for BIND 4. http://www.isc.org/products/BIND For application writers. Use a maximum sized buffer (64k), be prepared to redo the calls res_search(), res_query(), res_send(), res_nsearch(), res_nquery() and res_send() with a bigger buffer or take the minimum of the answer buffer size and the value returned by these calls and be aware that the answer is truncated.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Juniper Networks Affected

Notified:  August 15, 2002 Updated: October 16, 2002

Status

Affected

Vendor Statement

Juniper Networks has determined that its JUNOS Internet Software, used on the M- and T-series of router products, is susceptible to this vulnerability in versions 5.2R1.4, 5.2R2.3, 5.2R3.4, 5.2R4.4, 5.3R1.2, 5.3R2.4, 5.3R3.3, and 5.4R1.4. Customers should contact Juniper or their Juniper reseller to obtain an updated version of JUNOS software. Juniper Networks has determined that the operating software used on the ERX router products is not susceptible to this vulnerability. No software upgrade is required. However, the SDX-300 Service Deployment system may be susceptible if it is installed on a susceptible host platform. Users of SDX-300 should contact their host operating system vendor regarding this advisory. The Juniper Networks G10 CMTS product is not susceptible to this vulnerability. No upgrade is required.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

KAME Project Affected

Updated:  October 01, 2002

Status

Affected

Vendor Statement

The problem was fixed in the KAME tree on August 27, 2002.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

KTH Kerberos Unknown

Notified:  August 23, 2002 Updated: August 24, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lotus Software Unknown

Notified:  September 24, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Lucent Technologies Not Affected

Notified:  August 15, 2002 Updated: August 21, 2002

Status

Not Affected

Vendor Statement

LMG is not affected by the bind vulnerability. LMG uses BIND 9.2.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MandrakeSoft Affected

Notified:  August 15, 2002 Updated: November 08, 2002

Status

Affected

Vendor Statement

Mandrake Linux 7.1 and 7.2, which ship with BIND 8.x, already have been updated to BIND version 8.3.3, which is not vulnerable to this problem. Mandrake Linux 8.0 and higher ship with BIND 9.x which is also not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Most Linux distributions include the GNU glibc library that contains vulnerable DNS resolver functions. MandrakeSoft has also released MDKSA-2002:063 (fetchmail) and MDKSA-2002:075 (nss_ldap).

MetaSolv Software Inc. Affected

Notified:  August 15, 2002 Updated: October 01, 2002

Status

Affected

Vendor Statement

The resolver code embedded in the DNS Server (Based on ISC BIND 8.2.3) on both MetaSolv Policy Services 4.1 and 4.2 are open to Vulnerability Note VU#738331. This issue is being tracked by MetaSolv under Case #28230. An upgrade to ISC BIND 8.2.6 and the ISC Sanctioned Patches to 8.2.6 for this advisory have been compiled and applied, and will be available in Policy Services 4.2 Service Pack 1 efix 1. Please contact MetaSolv Global Customer Care (supporthd@metasolv.com) for availability and assistance.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Microsoft Corporation Not Affected

Notified:  August 15, 2002 Updated: August 23, 2002

Status

Not Affected

Vendor Statement

Microsoft does not use BIND resolver code.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

MIT Kerberos Development Team Affected

Notified:  August 23, 2002 Updated: October 16, 2002

Status

Affected

Vendor Statement

We don't ship a resolver implementation as part of MIT krb5. Our code does call res_search() in a potentially unsafe manner, but seems to only result in a read overrun. Also, it is primarily client-side code that calls res_search(), so denial of service attacks against servers are unlikely. This will be fixed in an upcoming release of MIT krb5. The MIT Kerberos Team is not issuing a patch at this time, as we believe that the vulnerability is limited to a client-side denial of service.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NEC Corporation Unknown

Notified:  August 15, 2002 Updated: October 16, 2002

Status

Unknown

Vendor Statement

sent on October 4, 2002 [Server Products] On investigation [Router Products] IX 5000 Series - is NOT vulnerable. IX 1000/2000 Series - is NOT vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NetBSD Affected

Notified:  August 15, 2002 Updated: October 10, 2002

Status

Affected

Vendor Statement

See NetBSD Security Advisory SA2002-015 for details.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Network Appliance Unknown

Notified:  August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Nixu Not Affected

Notified:  September 24, 2002 Updated: October 14, 2002

Status

Not Affected

Vendor Statement

Nixu NameSurfer itself does not contain any parts of the resolver library being discussed, nor does it call the res_* functions directly. However, parts of NameSurfer are dynamically linked with the resolver library on the DNS server machine. Therefore, if the underlying system is vulnerable, the vulnerability propagates also to NameSurfer. Nixu recommends that the resolver on the DNS server running NameSurfer is upgraded according to ISC's advisory as published by CERT. No further actions are required.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Nominum Unknown

Notified:  August 15, 2002 Updated: October 01, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Nortel Networks Affected

Notified:  August 15, 2002 Updated: November 08, 2002

Status

Affected

Vendor Statement

Nortel Networks has determined that NetID version 4.3.1 and later is potentially affected by the vulnerability identified in CERT/CC Vulnerability Note VU#738331; a bulletin and patch are available from the following Nortel Networks support contacts: North America: 1-8004NORTEL or 1-800-466-7835 Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions are available at www.nortelnetworks.com/help/contact/global/ Optivity NMS is not affected. The former Nortel Networks product Preside Policy Server divested to MetaSolv Software, Inc. in February 2002 uses BIND 8 and may be potentially affected. Please refer to MetaSolv Software Inc.'s Vendor Statement.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenBSD Unknown

Notified:  August 15, 2002 Updated: August 15, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenLDAP Unknown

Notified:  August 23, 2002 Updated: August 24, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Openwall GNU/*/Linux Affected

Notified:  August 15, 2002 Updated: October 16, 2002

Status

Affected

Vendor Statement

Openwall GNU/*/Linux's glibc package was affected. As a workaround, we have applied the patch by Olaf Kirch of SuSE which limits the return value from res_send(3) to be no greater than the provided answer buffer size. This approach has the advantage of reducing the problem for poorly written third-party applications, including those which aren't a part of our distribution. At the same time, checks have also been added to avoid some potential reads beyond end of undersized DNS responses as pointed out by Dmitry V. Levin of ALT Linux. This change will be documented in the system-wide change log: http://www.openwall.com/Owl/CHANGES.shtml The BIND 4.9.x Openwall patch (which adds a number of security-related features) has been updated to the upcoming 4.9.10 release and will be made available at: http://www.openwall.com/bind/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Oracle Corporation Unknown

Notified:  October 01, 2002 Updated: October 01, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Red Hat Inc. Affected

Notified:  August 15, 2002 Updated: November 08, 2002

Status

Affected

Vendor Statement

All supported versions of Red Hat Linux which shipped with vulnerable versions of BIND were updated to BIND 9.x by a previous security errata issued in August 2002 and are therefore not vulnerable to this issue. Users of the Red Hat Network can make sure their systems are updated to this release using the 'up2date' tool. http://rhn.redhat.com/errata/RHSA-2002-133.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Red Hat has also released RHSA-2002:197 (glibc), RHSA-2002:215 (fetchmail), and RHSA-2002:175 (nss_ldap).

Secure Computing Corporation Not Affected

Updated:  October 16, 2002

Status

Not Affected

Vendor Statement

SIDEWINDER(tm) FIREWALL & VPN (all releases including SIDEWINDER APPLIANCE) Not Vulnerable As part of Sidewinder(tm)'s defense in depth architecture, DNS queries are sandboxed by SecureOS(tm)'s patented Type Enforcement technology. Faults in the resolver library cannot cause a comprimise of the Sidewinder(tm). However, since a Bind 8 caching server can still pass this attack along to vulnerable resolvers, Sidewinder(tm) users who wish to protect vulnerable resolvers behind their firewall from attack should upgrade to version 5.2.1.05, which replaces Bind 8 with Bind 9. Customers should contact Customer Service to obtain version 5.2.1.05. Gauntlet and e-ppliance Both Gauntlet Software and Gauntlet e-ppliance utilize the Bind version that ships with Solaris 8. Please see Solaris 8 response to this vulnerability to assess applicability of any potential DOS risk. Secure Computing will test and make recommendations to customers regarding any potential software changes, if any, published by Sun Microsystems.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sendmail Unknown

Notified:  August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sequent Unknown

Notified:  August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SGI Not Affected

Notified:  August 15, 2002 Updated: August 23, 2002

Status

Not Affected

Vendor Statement

SGI uses nsd (UNS name service daemon) as a resolver and it does not appear to be vulnerable as it does not use any of the res_* functions.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sony Corporation Unknown

Notified:  August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sun Microsystems Inc. Affected

Notified:  August 15, 2002 Updated: November 08, 2002

Status

Affected

Vendor Statement

The Solaris DNS resolver library (libresolv.so) is affected by this issue in the following versions of Solaris: Solaris 2.5.1, 2.6, 7, and 8 Patches have been generated for all of the above releases. Sun has published Sun Alert 45463 for this issue which is available from: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F45463 The patches for this issue are available from: http://sunsolve.sun.com/securitypatch

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SuSE Inc. Affected

Notified:  August 15, 2002 Updated: October 25, 2002

Status

Affected

Vendor Statement

All SuSE versions of bind8 are affected by the bug in res_search/res_query. Fixed packages will be provided at 2002-10-01.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SuSE Security Announcement SuSE-SA:2002:034 addresses this issue in Heimdal Kerberos.

The SCO Group Unknown

Notified:  August 15, 2002 Updated: September 24, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Unisphere Networks Unknown

Notified:  August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Unisys Unknown

Notified:  August 15, 2002 Updated: October 03, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Wind River Systems Inc. Unknown

Notified:  August 15, 2002 Updated: August 15, 2002

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Xerox Corporation Affected

Notified:  August 15, 2002 Updated: April 15, 2003

Status

Affected

Vendor Statement

A response to this vulnerability is available from our web site: http://www.xerox.com/security/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

View all 58 vendors View less vendors