ISC Information for VU#308891

OpenSSL contains multiple buffer overflows in buffers that are used to hold ASCII representations of integers

Status

Affected

Vendor Statement

ISC Vendor statememt.

BIND 4, BIND 8 and BIND 9.0.x are not vulnerable.

BIND 9.1.x ship with a copy of the vulnerable sections of OpenSSL crypto
library (obj_dat.c and asn1_lib.c).
Please upgrade to BIND 9.2.x and/or relink with a fixed version OpenSSL.
e.g. configure --with-openssl=/path/to/fixed/openssl
Vendors shipping product based on BIND 9.1 should contact bind-bugs@isc.org.

BIND 9.2.x is vulnerable if linked against a vulnerable library.  By default
BIND 9.2 does not link against OpenSSL.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.