NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Recent DNS vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

CERT recently released an advisory relating to a vulnerability present
in multiple DNS implementations.  In the list of vendors impacted, BIND
from the ISC was also found to be vulnerable which is the implementation
of DNS that NetBSD uses in the base operating system and is also present
in pkgsrc.

We have been looking into this issue and have determined that all
current NetBSD 3.* (e.g. NetBSD 3.1 and NetBSD 3.0.2) and NetBSD.4.*
(e.g. NetBSD 4.0) releases as well as HEAD carry vulnerable versions of
BIND.  In addition to this vulnerable versions of BIND were also found
in pkgsrc.

To date we have upgraded the impacted versions in pkgsrc to versions
that contain a fix for this issue.  The fixed versions in pkgsrc are
bind-9.4.2pl1 and bind-9.5.0pl1, bind-8.* is end-of-life and you should
upgrade to BIND 9.*. The fixed packages are currently in pkgsrc HEAD and
pullups have been requested for the pkgsrc-2008Q1 branch.  Fixed
packages will also make it into the next pkgsrc stable branch
(pkgsrc-2008Q2).

NetBSD HEAD has now also be updated to BIND 9.5.0-PL1 which contains the
fix.  We are currently working on patches for the NetBSD 3.* and NetBSD
4.* releases and once the have stabilized we will commit them to the CVS
tree and provide update instructions.  In addition to this we will also
release a formal security advisory on this issue.

Some initial patches by NetBSD developers are currently available but
they are for testing only and if you choose to use them you do so at
your own risk.

ftp://ftp.astron.org/pub/people/christos/bind/

For further information users are encouraged to read the following
advisories from CERT and ISC.

http://www.kb.cert.org/vuls/id/800113
http://www.isc.org/sw/bind/forgery-resilience.php

If you are using BIND from a NetBSD 3.* or NetBSD 4.* release the
current workaround available is to temporarily migrate to a fixed pkgsrc
version.  If you are using BIND from pkgsrc then you should upgrade to a
fixed version.  If you can assist in testing any of the patches to
upgrade BIND in the base OS we would be interested on getting any feedback.

on behalf of NetBSD Security officer,

adrian.
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkh2l28ACgkQLc2rR0mnFJ+pEACeJ6R2LVr3HgW2JxBmipl1Sk1q
INEAoKOdamplue+rxNcoRGtASTjEHzPb
=Ckyw
-----END PGP SIGNATURE-----


Home | Main Index | Thread Index | Old Index