On Mon, 29 Jan 2001, Mike Cheponis wrote:

> Are we vulnerable?  Here's an excerpt of WSJ article.  -Mike

The named shipped with 1.5 appears to be 8.2.2-P7, which is
indeed vulnerable. In fact, pretty much all 8.2.x appears
to be vulnerable. From http://www.isc.org/products/BIND/bind-security.html

Name: "tsig bug"

  Versions affected:                           
      8.2, 8.2-P1, 8.2.1, 8.2.2-P1, 8.2.2-P2, 8.2.2-P3, 8.2.2-P4,
      8.2.2-P5, 8.2.2-P6, 8.2.2-P7, and all 8.2.3-betas

  Severity:
      CRITICAL

  Exploitable:                       
      Remotely

  Type:                             
      Access possible.

  Description:
      It is possible to overflow a buffer handling TSIG signed
      queries, thereby obtaining access to the system. 

  Workarounds:
      None. 

  Active Exploits:
      Exploits for this bug exist. 

..personally I had already built BIND-9.0.1 on my NetBSD-1.4.2 box
as soon as I needed a named, since there are other known bugs in
pretty much all 8.x versions (check the above URL, it's got a nice
bug-table in the bottom of the page).

-- 
/ali: Computer Science Major and aspiring cartoonist. :-) 
(dept) dat94ali@ludat.lth.se - http://www.ludat.lth.se/~dat94ali
(home) ali@h543.sparta.lu.se - http://h543.sparta.lu.se/
* A4000/040-40/CV3D/Ariadne·AmigaOS·NetBSD·A3000/040-25/Ariadne *