ISC Information for VU#803539
Multiple vendors' Domain Name System (DNS) stub resolvers vulnerable to buffer overflows
- Vendor Information Help Date Notified: 27 Jun 2002
- Statement Date:
- Date Updated: 07 Mar 2003
All versions of BIND 4 from 4.8.1 prior to BIND 4.9.9 are vulnerable.
All versions of BIND 8 prior to BIND 8.2.6 are vulnerable.
All versions of BIND 8.3.x prior to BIND 8.3.3 are vulnerable.
BIND versions BIND 9.2.0 and BIND 9.2.1 are vulnerable.
The status of BIND 4.8 is unknown, assume that it is vulnerable.
BIND versions BIND 9.0.x and BIND 9.1.x are not vulnerable.
'named' itself is not vulnerable.
Updated releases can be found at:
BIND 9 contains a copy of the BIND 8.3.x resolver library (lib/bind). This will be updated with the next BIND 9 releases (9.2.2/9.3.0) in the meantime please use the original in BIND 8.3.3.
Vendors wishing additional patches should contact email@example.com.
Query about BIND 4 and BIND 8 should be addressed to firstname.lastname@example.org.
Query about BIND 9 should be addressed to email@example.com.
The vendor has not provided us with any further information regarding this vulnerability.
The resolver library included in BIND 9.2.0 and 9.2.1 is a copy of the vulnerable resolver library included with BIND 8.3.x. In BIND 9, the vulnerable 8.3.x resolver library (libbind) is not built or installed by default unless BIND 9 is configured with the "--enable-libbind" option. BIND 9.2.2 is not vulnerable since it includes the updated resolver library (libbind) from BIND 8.3.3.
If you have feedback, comments, or additional information about this vulnerability, please send us email.