Subject: NetBSD Security Advisory 2002-029: named(8) multiple denial of service and remote execution of code
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: tech-security
Date: 11/20/2002 02:22:53 
-----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-029
		 =================================

Topic:		named(8) multiple denial of service and remote execution of code

Version:	NetBSD-current:	November 15, 2002
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		pkgsrc:	bind-4.9.10 and prior, bind-8.3.3 and prior

Severity:	Remote root compromise

Fixed:		NetBSD-current:		November 15, 2002
		NetBSD-1.6 branch:	November 16, 2002
		NetBSD-1.5 branch:	November 16, 2002
		pkgsrc:	bind-4.9.10nb1, bind-8.3.3nb1


Abstract
========

named(8) version 8.3.3, which is shipped with NetBSD, is vulnerable to
remote execution of malicious code, and multiple denial of service attacks. 


Technical Details
=================

http://www.isc.org/products/BIND/bind-security.html
See the sections named:	BIND: Remote Execution of Code"
			and "BIND: Multiple Denial of Service


Solutions and Workarounds
=========================

If you are not running named(8), your system is not affected.

BIND 9 is not affected by these vulnerabilities.  Upgrading to BIND 9 is
recommended. BIND 9 is available in the NetBSD Pkgsrc Collection
(pkgsrc/net/bind9).

onfiguration files differ between BIND 8 and 9. Plan such a migration
appropriately.

BIND 8 servers with recursion disabled are not vulnerable to the `BIND SIG
Cached RR Overflow Vulnerability' nor to the `BIND SIG Expiry Time DoS'.
to disable recursion, edit the BIND 8 configuration file (default path
/etc/namedb/named.conf) to add `recursion no;' and `fetch-glue no;' to
the options statement as shown:

                options {
                    recursion no;
                    fetch-glue no;
                   /* ... other options ... */
                };



The following instructions describe how to upgrade your named
binaries by updating your source tree and rebuilding and
installing a new version of named.

Be sure to restart running instance of named(8) after installation.


* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-11-15
	should be upgraded to NetBSD-current dated 2002-11-15 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		dist/bind
		usr.sbin/bind

	To update from CVS, re-build, and re-install named:
		# cd src
		# cvs update -d -P dist/bind usr.sbin/bind

		# cd usr.sbin/bind
		# make obj dependall
		# make install


* NetBSD 1.6:

	Systems running NetBSD 1.6 dated from before 2002-11-16 should
	be upgraded to NetBSD 1.6 dated 2002-11-16 or later.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		dist/bind
		usr.sbin/bind

	To update from CVS, re-build, and re-install named:
		# cd src
		# cvs update -d -P -r netbsd-1-6 dist/bind usr.sbin/bind

		# cd usr.sbin/bind
		# make obj dependall
		# make install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD 1.5, 1.5.1, 1.5.2 or 1.5.3 dated from before
	2002-11-16 should be upgraded to NetBSD 1.5 dated 2002-11-16 or
	later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		dist/bind
		usr.sbin/bind

	To update from CVS, re-build, and re-install named:
		# cd src
		# cvs update -d -P -r netbsd-1-5 dist/bind usr.sbin/bind

		# cd usr.sbin/bind
		# make obj dependall
		# make install


* pkgsrc

	bind-4.9.10 and prior, as well as bind-8.3.3 and prior are vulnerable.
	Upgrade to bind-4.9.10nb1, or bind-8.3.3nb1 (or later).


Thanks To
=========

FreeBSD Security-Officer, for portions of the workaround text.


Revision History
===============

	2002-11-20	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-029.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-029.txt,v 1.7 2002/11/19 17:09:59 david Exp $


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPdpxjj5Ru2/4N2IFAQH26AP/Zn+HG+u0Lwryq/fflxUJLO3Ib3QXZH14
hD/SWfkCExbZmd/5kkDdcMRfe33VTvSqZRw0IRGacErkO8cC8sbUUA9RYxAsxmpG
VMVNGMTaYlFDzGKPzyVmt9/4lAPvtR/Rd/bfJSUEfOIygNcQIvCpYN895aAFBWzl
gL8QNrRO7LY=
=1XM+
-----END PGP SIGNATURE-----