>Number:         18111
>Category:       pkg
>Synopsis:       bind8 gives false positive of bind9 vulnerability from audit-packages
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Aug 29 15:50:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Tom Spindler
>Release:        NetBSD 1.6_BETA1
>Organization:
	
>Environment:
	
	
System: NetBSD veal.babymeat.com 1.6_BETA1 NetBSD 1.6_BETA1 (RAIDVEAL) #3: Mon Jun 10 17:46:36 PDT 2002 notroot@erectile-dysfunction:/netbsd15/nbsrc16/sys/arch/i386/compile/RAIDVEAL i386
Architecture: i386
Machine: i386
>Description:
If you have bind8 installed, you get the warning

  Package bind-8.3.3 has a denial-of-service vulnerability, see http://www.cert.org/advisories/CA-2002-15.html

but the advisory is actually only for bind9. The entry in the
vulnerabilities file is given as

bind<9.2.1              denial-of-service       http://www.cert.org/advisories/CA-2002-15.html
	
>How-To-Repeat:
Install pkgsrc/net/bind8 and pkgsrc/security/audit-packages; run
audit-packages.
	
>Fix:
	
Whether the "correct" fix is to rename bind-8 to bind8, etc or to have
some syntax in the vulnerabilities file akin to "bind<9.2.1&&bind>9.0.0",
I don't know.

>Release-Note:
>Audit-Trail:
>Unformatted: