Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Recent DNS vulnerabilities

In article <>,
Adrian Portelli  <> wrote:
>Hash: SHA1
>CERT recently released an advisory relating to a vulnerability present
>in multiple DNS implementations.  In the list of vendors impacted, BIND
>from the ISC was also found to be vulnerable which is the implementation
>of DNS that NetBSD uses in the base operating system and is also present
>in pkgsrc.
>We have been looking into this issue and have determined that all
>current NetBSD 3.* (e.g. NetBSD 3.1 and NetBSD 3.0.2) and NetBSD.4.*
>(e.g. NetBSD 4.0) releases as well as HEAD carry vulnerable versions of
>BIND.  In addition to this vulnerable versions of BIND were also found
>in pkgsrc.
>To date we have upgraded the impacted versions in pkgsrc to versions
>that contain a fix for this issue.  The fixed versions in pkgsrc are
>bind-9.4.2pl1 and bind-9.5.0pl1, bind-8.* is end-of-life and you should
>upgrade to BIND 9.*. The fixed packages are currently in pkgsrc HEAD and
>pullups have been requested for the pkgsrc-2008Q1 branch.  Fixed
>packages will also make it into the next pkgsrc stable branch
>NetBSD HEAD has now also be updated to BIND 9.5.0-PL1 which contains the
>fix.  We are currently working on patches for the NetBSD 3.* and NetBSD
>4.* releases and once the have stabilized we will commit them to the CVS
>tree and provide update instructions.  In addition to this we will also
>release a formal security advisory on this issue.
>Some initial patches by NetBSD developers are currently available but
>they are for testing only and if you choose to use them you do so at
>your own risk.

It is, sorry I typed it wrong.


Home | Main Index | Thread Index | Old Index