Immunix Information for VU#734644

ISC BIND 8 vulnerable to cache poisoning via negative responses

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

[Outlook and Notes users -- please ask your system administrators to
assist you in creating out-of-office-autoreplies that respect public
mail lists; perhaps, creating such a reply that works only within the
organization or business partners.]

[Virus scanner administrators -- sending virus warnings to a From: or
From_ header is a waste of time. Please configure your scanners to drop
mail in the SMTP protocol, and not bounce the email after the fact.
Thanks.]

-----------------------------------------------------------------------
Immunix Secured OS Security Advisory


Packages updated: bind
Affected products: Immunix OS 7+
Bugs fixed: VU#734644 CAN-2003-0914
Date: Mon Oct 27 2003
Advisory ID: IMNX-2003-7+-024-01
Author: Seth Arnold <sarnold@immunix.com>
-----------------------------------------------------------------------

Description:
A vulnerability has been found in BIND that ".. allows an attacker to
conduct cache poisoning attacks on vulnerable name servers by
convincing the servers to retain invalid negative responses."


Our bind-8.2.3-3.3_imnx_5 packages fix this problem using a patch
derived from the BIND 8.3.7 release. This vulnerability has been named
CAN-2003-0914 by the CVE project.


We'd like to apologize to our US subscribers for the incredibly poor
timing, to release this notice a day before the Thanksgiving holiday.
Our options were limited by ISC, the package maintainer.


References: http://www.kb.cert.org/vuls/id/734644
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0914

Package names and locations:
Precompiled binary packages for Immunix 7+ are available at:
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/bind-8.2.3-3.3_imnx_5.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/bind-devel-8.2.3-3.3_imnx_5.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/bind-utils-8.2.3-3.3_imnx_5.i386.rpm

A source package for Immunix 7+ is available at:
http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/bind-8.2.3-3.3_imnx_5.src.rpm

Immunix OS 7+ md5sums:
8a5874f96e1c76b11c214ab16e1183f4  RPMS/bind-8.2.3-3.3_imnx_5.i386.rpm
83535ea7a69ab222ccf5c8664bfd66b9  RPMS/bind-devel-8.2.3-3.3_imnx_5.i386.rpm
7669fedc653731bf54cc0dd48b258a8f  RPMS/bind-utils-8.2.3-3.3_imnx_5.i386.rpm
445c908f0c4daffe0a153bc7e5514a85  SRPMS/bind-8.2.3-3.3_imnx_5.src.rpm



GPG verification:
Our public keys are available at
http://download.immunix.org/GPG_KEY
Immunix, Inc., has changed policy with GPG keys. We maintain several
keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
Immunix 7.3 package signing, and 1B7456DA for general security issues.



NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:

ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:

http://www.ibiblio.org/pub/Linux/MIRRORS.html

ImmunixOS 6.2 is no longer officially supported.
ImmunixOS 7.0 is no longer officially supported.


Contact information:
To report vulnerabilities, please contact security@immunix.com.
Immunix attempts to conform to the RFP vulnerability disclosure protocol

http://www.wiretrip.net/rfp/policy.html.

If you have feedback, comments, or additional information about this vulnerability, please send us email.