Re: Recent DNS vulnerabilities

[christos%astron.com@localhost (Christos Zoulas)]

In article <48769774.2030303%NetBSD.org@localhost>,
Adrian Portelli  <adrianp%NetBSD.org@localhost> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi,
>
>CERT recently released an advisory relating to a vulnerability present
>in multiple DNS implementations.  In the list of vendors impacted, BIND
>from the ISC was also found to be vulnerable which is the implementation
>of DNS that NetBSD uses in the base operating system and is also present
>in pkgsrc.
>
>We have been looking into this issue and have determined that all
>current NetBSD 3.* (e.g. NetBSD 3.1 and NetBSD 3.0.2) and NetBSD.4.*
>(e.g. NetBSD 4.0) releases as well as HEAD carry vulnerable versions of
>BIND.  In addition to this vulnerable versions of BIND were also found
>in pkgsrc.
>
>To date we have upgraded the impacted versions in pkgsrc to versions
>that contain a fix for this issue.  The fixed versions in pkgsrc are
>bind-9.4.2pl1 and bind-9.5.0pl1, bind-8.* is end-of-life and you should
>upgrade to BIND 9.*. The fixed packages are currently in pkgsrc HEAD and
>pullups have been requested for the pkgsrc-2008Q1 branch.  Fixed
>packages will also make it into the next pkgsrc stable branch
>(pkgsrc-2008Q2).
>
>NetBSD HEAD has now also be updated to BIND 9.5.0-PL1 which contains the
>fix.  We are currently working on patches for the NetBSD 3.* and NetBSD
>4.* releases and once the have stabilized we will commit them to the CVS
>tree and provide update instructions.  In addition to this we will also
>release a formal security advisory on this issue.
>
>Some initial patches by NetBSD developers are currently available but
>they are for testing only and if you choose to use them you do so at
>your own risk.
>
>ftp://ftp.astron.org/pub/people/christos/bind/

It is ftp.astron.com, sorry I typed it wrong.

christos