search menu icon-carat-right cmu-wordmark

CERT Coordination Center


ISC BIND 8 vulnerable to cache poisoning via negative responses

Vulnerability Note VU#734644

Original Release Date: 2003-12-01 | Last Revised: 2004-01-05

Overview

The BIND 8 name server contains a cache poisoning vulnerability that allows attackers to conduct denial-of-service attacks on specific target domains.

Description

Several versions of the BIND 8 name server are vulnerable to cache poisoning via negative responses. To exploit this vulnerability, an attacker must configure a name server to return authoritative negative responses for a given target domain. Then, the attacker must convince a victim user to query the attacker's maliciously configured name server. When the attacker's name server receives the query, it will reply with an authoritative negative response containing a large TTL (time-to-live) value. If the victim's site runs a vulnerable version of BIND 8, it will cache the negative response and render the target domain unreachable until the TTL expires.

Impact

Attackers may conduct denial-of-service attacks on specific target domains by enticing users to query a malicious name server.

Solution

Upgrade BIND

The ISC has prepared BIND 8.3.7 and BIND 8.4.3 to address this vulnerability. Name servers running BIND 4 are not affected. To obtain the latest versions of BIND, please visit

http://www.isc.org/products/BIND/

Apply a patch or updated version from your vendor

Many operating system vendors include BIND with their products and will be preparing new versions to address this vulnerability. For a list of vendors that the CERT/CC has received information from regarding this vulnerability, please see the Systems Affected section of this document.

Vendor Information

734644
Expand all

Apple Computer Inc.

Notified:  October 21, 2003 Updated:  December 11, 2003

Status

  Vulnerable

Vendor Statement

Mac OS X 10.3 and later: Not Vulnerable. Mac OS X 10.3 uses a later version of BIND that does not have this vulnerability.

Mac OS X 10.2.x: Recommend upgrading to Mac OS X 10.2.8, then installing BIND 8.4.3 as follows:

First install the Developer Tools if they are not already present, then perform the following steps from the command-line in an application such as Terminal:

1. Download BIND version 8.4.3 by executing the following command:
curl -O ftp://ftp.isc.org/isc/bind/src/8.4.3/bind-src.tar.gz

2. Verify the integrity of this file by typing:
cksum bind-src.tar.gz
which should indicate "3224691664 1438439 bind-src.tar.gz"

3. Unpack the distribution as follows:
tar xvzf bind-src.tar.gz

4. Now you're ready to start building the distribution.
cd to the src/ directory and type "make"

5. The next step will install the new named daemon:
sudo cp bin/named/named /usr/sbin/

6. Reboot

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  October 21, 2003 Updated:  December 01, 2003

Status

  Vulnerable

Vendor Statement

Please see ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:19.bind.asc

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-03:19.bind                                       Security Advisory

The FreeBSD Project

Topic:          bind8 negative cache poison attack

Category:       contrib
Module:         contrib_bind
Announced:      2003-11-28
Credits:        Internet Software Consortium
Affects:        FreeBSD versions through 4.9-RELEASE and 5.1-RELEASE

4-STABLE prior to the correction date
Corrected:      2003-11-28 22:13:47 UTC (RELENG_4, 4.9-STABLE)

2003-11-27 00:54:53 UTC (RELENG_5_1, 5.1-RELEASE-p11)
2003-11-27 16:54:01 UTC (RELENG_5_0, 5.0-RELEASE-p19)
2003-11-27 00:56:06 UTC (RELENG_4_9, 4.9-RELEASE-p1)
2003-11-27 16:34:22 UTC (RELENG_4_8, 4.8-RELEASE-p14)
2003-11-27 16:35:06 UTC (RELENG_4_7, 4.7-RELEASE-p24)
2003-11-27 16:37:00 UTC (RELENG_4_6, 4.6.2-RELEASE-p27)
2003-11-27 16:38:36 UTC (RELENG_4_5, 4.5-RELEASE-p37)
2003-11-27 16:40:03 UTC (RELENG_4_4, 4.4-RELEASE-p47)

CVE Name:       CAN-2003-0914
FreeBSD only:   NO

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:
http://www.freebsd.org/security/>.

I.   Background

BIND 8 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is the Internet domain name server.

II.  Problem Description

A programming error in BIND 8 named can result in a DNS message being
incorrectly cached as a negative response.

III. Impact

An attacker may arrange for malicious DNS messages to be delivered
to a target name server, and cause that name server to cache a
negative response for some target domain name.  The name server would
thereafter respond negatively to legitimate queries for that domain
name, resulting in a denial-of-service for applications that require
DNS.  Almost all Internet applications require DNS, such as the Web,
email, and chat networks.

IV.  Workaround

No workaround is known.

V.   Solution

Do one of the following:

1) Upgrade your vulnerable system to 4.9-STABLE; or to the RELENG_5_1,
RELENG_4_9, RELENG_4_8, or RELENG_4_7 security branch dated after the
correction date.

2) To patch your present system:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.9 and -STABLE systems]
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-836.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-836.patch.asc

[FreeBSD 4.8 and 5.1 systems]
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-834.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-834.patch.asc

[FreeBSD 4.4, 4.5, 4.6, 4.7, and 5.0 systems]
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-833.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-833.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libbind
# make obj && make depend && make
# cd /usr/src/lib/libisc
# make obj && make depend && make
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# cd /usr/src/libexec/named-xfer
# make obj && make depend && make && make install

After upgrading or patching your system, you must restart named.
Execute the following command as root:

# ndc restart

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
Path

- -------------------------------------------------------------------------
RELENG_4

src/contrib/bind/CHANGES                                   1.1.1.7.2.11
src/contrib/bind/README                                     1.1.1.7.2.9
src/contrib/bind/Version                                   1.1.1.3.2.10
src/contrib/bind/bin/named-xfer/named-xfer.c                    1.3.2.8
src/contrib/bind/bin/named/Makefile                             1.3.2.6
src/contrib/bind/bin/named/ns_init.c                        1.1.1.2.2.6
src/contrib/bind/bin/named/ns_resp.c                       1.1.1.2.2.11
src/contrib/bind/bin/nslookup/commands.l                        1.4.2.5
src/contrib/bind/bin/nslookup/debug.c                           1.3.2.6
src/contrib/bind/bin/nslookup/getinfo.c                         1.3.2.9
src/contrib/bind/bin/nslookup/main.c                            1.3.2.7
src/contrib/bind/doc/man/dig.1                                  1.3.2.4
src/contrib/bind/doc/man/host.1                                 1.3.2.5
src/contrib/bind/doc/man/nslookup.8                             1.2.2.5
src/contrib/bind/port/freebsd/include/port_after.h              1.6.2.9
src/contrib/bind/port/freebsd/include/port_before.h         1.1.1.2.2.6

RELENG_5_1
src/UPDATING                                                 1.251.2.13
src/sys/conf/newvers.sh                                       1.50.2.13
src/contrib/bind/Version                                   1.1.1.11.2.1
src/contrib/bind/bin/named/ns_resp.c                       1.1.1.11.2.1

RELENG_5_0
src/UPDATING                                                 1.229.2.25
src/sys/conf/newvers.sh                                       1.48.2.20
src/contrib/bind/Version                                   1.1.1.10.2.1
src/contrib/bind/bin/named/ns_resp.c                       1.1.1.10.2.1

RELENG_4_9
src/UPDATING                                              1.73.2.89.2.2
src/sys/conf/newvers.sh                                   1.44.2.32.2.2
src/contrib/bind/Version                                1.1.1.3.2.9.2.1
src/contrib/bind/bin/named/ns_resp.c                   1.1.1.2.2.10.2.1

RELENG_4_8
src/UPDATING                                             1.73.2.80.2.16
src/sys/conf/newvers.sh                                  1.44.2.29.2.15
src/contrib/bind/Version                                1.1.1.3.2.8.2.1
src/contrib/bind/bin/named/ns_resp.c                    1.1.1.2.2.9.2.1

RELENG_4_7
src/UPDATING                                             1.73.2.74.2.27
src/sys/conf/newvers.sh                                  1.44.2.26.2.26
src/contrib/bind/Version                                1.1.1.3.2.7.2.1
src/contrib/bind/bin/named/ns_resp.c                    1.1.1.2.2.7.2.2

RELENG_4_6
src/UPDATING                                             1.73.2.68.2.56
src/sys/conf/newvers.sh                                  1.44.2.23.2.44
src/contrib/bind/Version                                1.1.1.3.2.6.2.2
src/contrib/bind/bin/named/ns_resp.c                    1.1.1.2.2.6.2.3

RELENG_4_5
src/UPDATING                                             1.73.2.50.2.54
src/sys/conf/newvers.sh                                  1.44.2.20.2.38
src/contrib/bind/Version                                1.1.1.3.2.4.4.2
src/contrib/bind/bin/named/ns_resp.c                    1.1.1.2.2.4.4.3

RELENG_4_4
src/UPDATING                                             1.73.2.43.2.55
src/sys/conf/newvers.sh                                  1.44.2.17.2.46
src/contrib/bind/Version                                1.1.1.3.2.4.2.2
src/contrib/bind/bin/named/ns_resp.c                    1.1.1.2.2.4.2.3

- -------------------------------------------------------------------------

VII. References

<URL:http://www.kb.cert.org/vuls/id/734644>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/x8/PFdaIBMps37IRAsl8AJ9zgqn4QmO08d9zj9de8/uGKIQBNgCfeHKC
tM9nSOzoCrM+O+TpNn6ewt4=
=PJi2
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc.

Notified:  October 21, 2003 Updated:  December 02, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

+------------------------------------------------------------------------+
| Guardian Digital Security Advisory                   November 26, 2003 |
|
http://www.guardiandigital.com                        ESA-20031126-031 |
|                                                                        |
| Packages: bind-chroot, bind-chroot-utils                               |
| Summary:  cache poisoning vulnerability.                               |
+------------------------------------------------------------------------+

EnGarde Secure Linux is an enterprise class Linux platform engineered
to enable corporations to quickly and cost-effectively build a complete
and secure Internet presence while preventing Internet threats.


OVERVIEW
- --------

A cache poisoning vulnerability exists in the version of BIND shipped
with all versions of EnGarde Secure Linux.  Successful exploitation of
this vulnerability may result in a temporary denial of service until
the bad record expires from the cache.


The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0914 to this issue.


Guardian Digital products affected by this issue include:

EnGarde Secure Community v1.0.1
EnGarde Secure Community 2
EnGarde Secure Professional v1.1
EnGarde Secure Professional v1.2
EnGarde Secure Professional v1.5


It is recommended that all users apply this update as soon as possible.

SOLUTION
- --------

Guardian Digital Secure Network subscribers may automatically update
affected systems by accessing their account from within the Guardian
Digital WebTool.


To modify your GDSN account and contact preferences, please go to:

https://www.guardiandigital.com/account/

Below are MD5 sums for the updated EnGarde Secure Linux 1.0.1 packages:

SRPMS/bind-chroot-8.2.6-1.0.30.src.rpm
MD5 Sum: 6127e55aaeffe9c92dcf793df910ee75


i386/bind-chroot-8.2.6-1.0.30.i386.rpm
MD5 Sum: b631c88d82dc4883df2271204d50abc3


i386/bind-chroot-utils-8.2.6-1.0.30.i386.rpm
MD5 Sum: eaac0812f751998c7f5ad66f7ba9d9d4


i686/bind-chroot-8.2.6-1.0.30.i686.rpm
MD5 Sum: 4b5ced2b8f72d9df3a340833ef0a60c0


i686/bind-chroot-utils-8.2.6-1.0.30.i686.rpm
MD5 Sum: 21f203bb6fad4a5474b179337c395442


REFERENCES
- ----------

Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

BIND's Official Web Site:
http://www.isc.org/products/BIND/

Guardian Digital Advisories:
http://infocenter.guardiandigital.com/advisories/

Security Contact: security@guardiandigital.com

- --------------------------------------------------------------------------
Author: Ryan W. Maple <ryan@guardiandigital.com>
Copyright 2003, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/xTVoHD5cqd57fu0RAvc0AJ9kvIUaS+VjjFaI1Stwj/I1u4IX1ACfSe9P
NkyQtP2aIVcE0Ztt4ZV0uuU=
=2G9V
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  October 21, 2003 Updated:  December 03, 2003

Status

  Vulnerable

Vendor Statement

Document ID:  HPSBUX0311-303
Date Loaded:  20031130

Title:  SSRT3653 Bind 8.1.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

-----------------------------------------------------------------
Source: HEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0311-303
Originally issued: 30 November 2003
SSRT3653 Bind 8.1.2
-----------------------------------------------------------------


NOTICE: There are no restrictions for distribution of this
Bulletin provided that it remains complete and intact.

The information in the following Security Bulletin should be
acted upon as soon as possible.  Hewlett-Packard Company will
not be liable for any consequences to any customer resulting
from customer's failure to fully implement instructions in this
Security Bulletin as soon as possible.

-----------------------------------------------------------------

PROBLEM: Potential security vulnerability in Bind 8.1.2.

PLATFORM: HP-UX B.11.00 and B.11.11.

IMPACT: Potential remotely exploitable denial of service.

SOLUTION: Until a product upgrade is available, download and
install appropriate preliminary updates or upgrade
to Bind 9.2.0.


B.11.11 - Install the preliminary depot:
SSRT3653UX.depot.

B.11.00 - A Bind 8.1.2 upgrade is available from
the ftp site listed below.


The issue can be avoided by upgrading to
Bind 9.2.0 which is available now.  The security
bulletin HPSBUX0208-209 has details about required
revisions of Bind 9.2.0 for B.11.00 and B.11.11.


MANUAL ACTIONS: Yes - NonUpdate
B.11.11 - Install SSRT3653UX.depot.

or upgrade to Bind 9.2.0.
B.11.00 - Upgrade to Bind 9.2.0 or

install BIND812v005.depot.

AVAILABILITY:  This bulletin will be revised when a patch
is available for B.11.11.


-----------------------------------------------------------------
A. Background

The potential for a remotely exploitable denial of service
exists in Bind 8.1.2.


AFFECTED VERSIONS

The following is a list by HP-UX revision of
affected filesets and the fileset revision or
patch containing the fix.  To determine if a
system has an affected version, search the
output of "swlist -a revision -l fileset"
for an affected fileset, then determine if
a fixed revision or the applicable patch is
installed.


HP-UX B.11.11
=============
InternetSrvcs.INETSVCS-RUN
fix: install SSRT3653UX.depot or

upgrade to Bind 9.2.0.

HP-UX B.11.00
=============
BINDv812.INETSVCS-BIND
fix: upgrade to BIND-812 revision B.11.00.01.005 or

upgrade to Bind 9.2.0.

END AFFECTED VERSIONS

B. Recommended solution

Note:
The issue can be avoided by upgrading to
Bind 9.2.0 which is available now.  The security
bulletin HPSBUX0208-209 has details about required
revisions of Bind 9.2.0 for B.11.00 and B.11.11.


HP-UX B.11.00 Bind 8.1.2
========================
BIND812 for B.11.00 has been discontinued.  It will
become obsolete by the end of March, 2004.  A new
version of BIND812 for B.11.00 has been created to
address the issue of this bulletin.  However, it is
recommended that customers upgrade to Bind 9.2.0 now.
More details can be found here:


<http://software.hp.com/portal/swdepot/
displayProductInfo.do?productNumber=BIND812>


The new version of BIND812 for B.11.00 is available from
the ftp site listed below.  Since BIND812 for B.11.00 has
been discontinued, this version will not be available
from software.hp.com.


HP-UX B.11.11 Bind 8.1.2
========================


Until a patch is available a temporary depot has been created
to install a version of /usr/sbin/named which addresses the
issue.  The depot is available from the ftp site listed
below.  The depot will not install the new named file unless
PHNE_28450 has been installed first.  PHNE_28450 is available
from <http://itrc.hp.com>.


=========================================================

For B.11.00 download BIND812v005.depot from the
following ftp site.


For B.11.11 download SSRT3653UX.depot from the
following ftp site.


System:    hprc.external.hp.com  (192.170.19.51)
Login:     bind812
Password:  bind812


FTP Access: ftp://bind:bind1@hprc.external.hp.com/
or: ftp://bind:bind1@192.170.19.51/

For B.11.11 - file: SSRT3653UX.depot
For B.11.00 - file: BIND812v005.depot


Note: There is an ftp defect in IE5 that may result in
a browser hang.  To work around this:

- Select Tools -> Internet Options -> Advanced
- Un-check the option:

[ ] Enable folder view for FTP sites

If you wish to verify the md5 sum please refer to:

HPSBUX9408-016
Patch sums and the MD5 program


For B11.00 - BIND812v005.depot
cksum: 1413515727 1239040 BIND812v005.depot
MD5 (BIND812v005.depot) = 333920fa1b74820bee15f2287bacc3c2


For B.11.11 - SSRT3653UX.depot
cksum: 509054485 389120 SSRT3653UX.depot
MD5 (SSRT3653UX.depot) = ee96c169ec3712d5907b7fe983d108dc


For B.11.00 - Install BIND812v005.depot using swinstall.

For B.11.11 - Install SSRT3653UX.depot using swinstall
after PHNE_28450 has been installed.


Further information is available in the readme file:
cd <directory containing SSRT3653UX.depot>
swlist -d -l product -a readme @ $PWD/SSRT3653UX.depot



- ------------------------------------------------------------------

C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic
mail, do the following:


Use your browser to get to the HP IT Resource Center page
at:


http://itrc.hp.com

Use the 'Login' tab at the left side of the screen to login
using your ID and password.  Use your existing login or the
"Register" button at the left to create a login, in order to
gain access to many areas of the ITRC.  Remember to save the
User ID assigned to you, and your password.


In the left most frame select "Maintenance and Support".

Under the "Notifications" section (near the bottom of
the page), select "Support Information Digests".


To -subscribe- to future HP Security Bulletins or other
Technical Digests, click the check box (in the left column)
for the appropriate digest and then click the "Update
Subscriptions" button at the bottom of the page.


or

To -review- bulletins already released, select the link
(in the middle column) for the appropriate digest.


To -gain access- to the Security Patch Matrix, select
the link for "The Security Bulletins Archive".  (near the
bottom of the page)  Once in the archive the third link is
to the current Security Patch Matrix. Updated daily, this
matrix categorizes security patches by platform/OS release,
and by bulletin topic.  Security Patch Check completely
automates the process of reviewing the patch matrix for
11.XX systems.


For information on the Security Patch Check tool, see:
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
displayProductInfo.pl?productNumber=B6834AA


The security patch matrix is also available via anonymous
ftp:


ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/

On the "Support Information Digest Main" page:
click on the "HP Security Bulletin Archive".


D. To report new security vulnerabilities, send email to

security-alert@hp.com

Please encrypt any exploit information using the
security-alert PGP key, available from your local key
server, or by sending a message with a -subject- (not body)
of 'get key' (no quotes) to security-alert@hp.com.


----------------------------------------------------------------

(c) Copyright 2003 Hewlett-Packard Company
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
in this document is subject to change without notice.
Hewlett-Packard Company and the names of HP products referenced
herein are trademarks and/or service marks of Hewlett-Packard
Company.  Other product and company names mentioned herein may be
trademarks and/or service marks of their respective owners.

________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBP8oPruAfOvwtKn1ZEQJTlwCg2y1qe8rZiKbUPHuCPkFbIIhVaPkAnja2
/Nbi2zNFnmk0FQ0mtBxKx48U
=L5yo
-----END PGP SIGNATURE-----
-----End of Document ID: HPSBUX0311-303--------------------------------------

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  October 21, 2003 Updated:  December 03, 2003

Status

  Vulnerable

Vendor Statement

The AIX operating system is vulnerable to the BIND8 cache poisoning attack in releases 4.3.3, 5.1.0 and 5.2.0 . The APAR's for this fix and their availablity are listed below.

APAR number for AIX 4.3.3: IY49899 (available 2/25/2004)
APAR number for AIX 5.1.0: IY49881 (available)
APAR number for AIX 5.2.0: IY49883 (available 12/24/2003)

These APARs can be downloaded by following the link for IBM's Fix Central at:

Efix packages for 4.3.3 and 5.2.0 will be available by 12/02/2004 at:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

IBM has published APAR IY49881 regarding this vulnerability. For more information, please see:

Immunix

Updated:  December 01, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

[Outlook and Notes users -- please ask your system administrators to
assist you in creating out-of-office-autoreplies that respect public
mail lists; perhaps, creating such a reply that works only within the
organization or business partners.]

[Virus scanner administrators -- sending virus warnings to a From: or
From_ header is a waste of time. Please configure your scanners to drop
mail in the SMTP protocol, and not bounce the email after the fact.
Thanks.]

-----------------------------------------------------------------------
Immunix Secured OS Security Advisory


Packages updated:bind
Affected products:Immunix OS 7+
Bugs fixed:VU#734644 CAN-2003-0914
Date:Mon Oct 27 2003
Advisory ID:IMNX-2003-7+-024-01
Author:Seth Arnold <sarnold@immunix.com>
-----------------------------------------------------------------------

Description:
A vulnerability has been found in BIND that ".. allows an attacker to
conduct cache poisoning attacks on vulnerable name servers by
convincing the servers to retain invalid negative responses."


Our bind-8.2.3-3.3_imnx_5 packages fix this problem using a patch
derived from the BIND 8.3.7 release. This vulnerability has been named
CAN-2003-0914 by the CVE project.


We'd like to apologize to our US subscribers for the incredibly poor
timing, to release this notice a day before the Thanksgiving holiday.
Our options were limited by ISC, the package maintainer.


References: http://www.kb.cert.org/vuls/id/734644
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0914

Package names and locations:
Precompiled binary packages for Immunix 7+ are available at:
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/bind-8.2.3-3.3_imnx_5.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/bind-devel-8.2.3-3.3_imnx_5.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/bind-utils-8.2.3-3.3_imnx_5.i386.rpm

A source package for Immunix 7+ is available at:
http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/bind-8.2.3-3.3_imnx_5.src.rpm

Immunix OS 7+ md5sums:
8a5874f96e1c76b11c214ab16e1183f4  RPMS/bind-8.2.3-3.3_imnx_5.i386.rpm
83535ea7a69ab222ccf5c8664bfd66b9  RPMS/bind-devel-8.2.3-3.3_imnx_5.i386.rpm
7669fedc653731bf54cc0dd48b258a8f  RPMS/bind-utils-8.2.3-3.3_imnx_5.i386.rpm
445c908f0c4daffe0a153bc7e5514a85  SRPMS/bind-8.2.3-3.3_imnx_5.src.rpm



GPG verification:
Our public keys are available at
http://download.immunix.org/GPG_KEY
Immunix, Inc., has changed policy with GPG keys. We maintain several
keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
Immunix 7.3 package signing, and 1B7456DA for general security issues.



NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:

ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:

http://www.ibiblio.org/pub/Linux/MIRRORS.html

ImmunixOS 6.2 is no longer officially supported.
ImmunixOS 7.0 is no longer officially supported.


Contact information:
To report vulnerabilities, please contact security@immunix.com.
Immunix attempts to conform to the RFP vulnerability disclosure protocol

http://www.wiretrip.net/rfp/policy.html.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Internet Software Consortium

Notified:  September 04, 2003 Updated:  December 01, 2003

Status

  Vulnerable

Vendor Statement

  Internet Software Consortium Security Advisory.
         Negative Cache Poison Attack

           4 September 2003

    Versions affected:
   BIND 8 prior to 8.3.7
   BIND 8.4.3 Release (8.4.3-REL)

BIND 8.4.3 is a maintenance release of BIND 8.4.  It includes the BIND 8.4.2
release which includes a security fix (also released as BIND 8.3.7).

Highlights.
Maintenance Release.


Highlights (8.4.2)
Security Fix: Negative Cache Poison Fix.


the distribution files are:

ftp://ftp.isc.org/isc/bind/src/8.4.3/bind-src.tar.gz
Ftp://ftp.isc.org/isc/bind/src/8.4.3/bind-doc.tar.gz
ftp://ftp.isc.org/isc/bind/src/8.4.3/bind-contrib.tar.gz

the pgp signature files are:

ftp://ftp.isc.org/isc/bind/src/8.4.3/bind-src.tar.gz.asc
ftp://ftp.isc.org/isc/bind/src/8.4.3/bind-doc.tar.gz.asc
ftp://ftp.isc.org/isc/bind/src/8.4.3/bind-contrib.tar.gz.asc

the md5 checksums are:


MD5 (bind-contrib.tar.gz) = 454f8e3caf1610941a656fcc17e1ecec
MD5 (bind-contrib.tar.gz.asc) = f8f0a5b8985a8180e5bd02207f319980
MD5 (bind-doc.tar.gz) = fcfdaaa2fc7d6485b0e3d08299948bd3
MD5 (bind-doc.tar.gz.asc) = fc0671468c2e3a1e5ff817b69da21a6b
MD5 (bind-src.tar.gz) = e78610fc1663cfe8c2db6a2d132d902b
MD5 (bind-src.tar.gz.asc) = 40453b40819fd940ad4bfabd26425619

Windows NT / Windows 2000 binary distribution.

ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.4.3/readme1st.txt
ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.4.3/BIND8.4.3.zip
ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.4.3/BIND8.4.3.zip.asc

ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.4.3/readme1sttools.txt
ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.4.3/BIND8.4.3Tools.zip
ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.4.3/BIND8.4.3Tools.zip.asc

the md5 checksums are:

MD5 (readme1st.txt) = ac4ce260f151dc1ab393c145f4288bba
MD5 (BIND8.4.3.zip) = 7c3e333f90edbe3820952a62ff6ffdf3
MD5 (BIND8.4.3.zip.asc) = f2190cc390ce584c0cc624835bdcc8eb

MD5 (readme1sttools.txt) = eef4c5782be1a1faac3ca0c756eaef05
MD5 (BIND8.4.3Tools.zip) = 8cb29c092394dfa430ef9ea47b6a02ea
MD5 (BIND8.4.3Tools.zip.asc) = a77b2adb1f23db780f45efee32a92882

top of CHANGES says:

--- 8.4.3 released --- (Mon Nov 24 17:27:52 PST 2003)

1617.[cleanup]don't pre-fetch missing additional address records if
we have one of A/AAAA.


1616.[func]turn on "preferred-glue A;" (if not specified in
named.conf) if the answer space is a standard UDP
message size or smaller.


1615.[func]when query logging log whether TSIG (T) and/or EDNS (E)
was used to make the query.


1614.[cleanup]on dual (IPv4+IPv6) stack servers delay the lookup of
missing glue if we have glue for one family.


1613.[cleanup]notify: don't lookup A/AAAA records for nameservers
if we don't support the address at the transport level.


1612.[func]named now takes arguements -4 and -6 to limit the
IP transport used for making queries.


1611.[debug]better packet tracing in debug output (+ some lint).

1610.[bug]don't explictly declare errno use <errno.h>.

1609.[bug]drop_port() was being called with ports in network
order rather than host order.


1608.[port]sun: force alignment of answer in dig.c.

1607.[bug]do not attempt to prime cache when recursion and
fetch-glue are disabled.


1606.[bug]sysquery duplicate detection was broken when
using forwarders.


1605.[port]sun: force alignment of newmsg in ns_resp.c.

1604.[bug]heap_delete() sometimes violated the heap invariant,
causing timer events not to be posted when due.


1603.[port]ds_remove_gen() mishandled removal IPv6 interfaces.

1602.[port]linux: work around a non-standard __P macro.

1601.[bug]dig could report the wrong server address on transfers.

1600.[bug]debug_freestr() prototype mismatch.

1599.[bug]res_nsearch() save statp->res_h_errno instead of
h_errno.


1598.[bug]dprint_ip_match_list() fails to print the mask
correctly.


1597.[bug]use the actual presentation length of the IP address
to determine if sprintf() is safe in write_tsig_info().


--- 8.4.2 released --- (Thu Sep  4 06:58:22 PDT 2003)

1596.[port]winnt: set USELOOPBACK in port_after.h

1595.[bug]dig: strcat used instead of strcpy.

1594.[bug]if only a single nameserver was listed in resolv.conf
IPv6 default server was also being used.


1593.[port]irix: update port/irix/irix_patch.

1592.[port]irix: provide a sysctl() based getifaddrs()
implementation.


1591.[port]irix: sa_len is a macro.

1590.[port]irix: doesn't have msg_control (NO_MSG_CONTROL)

1589.[port]linux: uninitalised variable.

1588.[port]solaris: provide ALIGN.

1587.[port]NGR_R_END_RESULT was not correct for some ports.

1586.[port]winnt: revert to old socket behaviour for UDP
sockets (Windows 2000 SP2 and later).


1585.[port]solaris: named-xfer needs <fcntl.h>.

1584.[port]bsdos: explictly include <netinet6/in6.h> for
4.0 and 4.1.


1583.[bug]add -X to named-xfer usage message.

1582.[bug]ns_ownercontext() failed to set the correct owner
context for AAAA records. ns_ptrcontext() failed
to return the correct context for IP6.ARPA.


1581.[bug]apply anti-cache poison techniques to negative
answers.


1580.[bug]inet_net_pton() didn't fully handle implicit
multicast IPv4 network addresses.


1579.[bug]ifa_addr can be NULL.

1578.[bug]named-xfer: wrong arguement passed to getnameinfo().

1577.   [func]          return referrals for glue (NS/A/AAAA) if recursion
is not desired (hp->rd = 0).


1576.[bug]res_nsendsigned() incorrectly printed the truncated
UDP response when RES_IGNTC was not set.


1575.[bug]tcp_send() passed the wrong length to evConnect().

1574.[bug]res_nsendsigned() failed to handle truncation
cleanly.


1573.[bug]tsig_size was not being copied by ns_forw().

1572.[port]bsdos: missing #include <ifaddrs.h>.

1571.[bug]AA was sometimes incorrectly set.

1570.[port]decunix: change #1544 broke OSF1 3.2C.

1569.[bug]remove extraneous closes.

1568.[cleanup]reduce the memory footprint for large numbers of
zones.


1567.[port]winnt: install MSVC70.DLL and MFC70.DLL.

1566.[bug]named failed to locate keys declared in masters
clause.


1565.[bug]named-xfer was failing to use TSIG.

1564.[port]linux: allow static linkage to work.

1563.[bug]ndc getargs_closure failed to NUL terminate strings.

1562.[bug]handle non-responsive servers better.

1561.[bug]rtt estimates were not being updated for IPv6
addresses.


1560.[port]linux: add runtime support to handle old kernels
that don't know about msg_control.


1559.[port]named, named-xfer: ensure that stdin, stdout and
stderr are open.


--- 8.4.1-P1 released --- (Sun Jun 15 17:35:10 PDT 2003)

1558.[port]sunos4 doesn't have msg_control (NO_MSG_CONTROL).

1557.[port]linux: socket returns EINVAL for unsupported family.

1556.[bug]reference through NULL pointer.

1555.[bug]sortlist wasn't being applied to AAAA queries.

1554.[bug]IPv4 access list elements of the form number/number
(e.g. 127/8)  were not correctly defined.


1553.[bug]getifaddrs*() failed to set ifa_dstaddr for point
to point links (overwrote ifa_addr).


1552.[bug]buffer overruns in getifaddrs*() if the server has
point to point links.


1551.[port]freebsd: USE_IFNAMELINKIDS should be conditionally
defined.


1550.[port]TruCluster support didn't build.

1549.[port]Solaris 9 has /dev/random.

--- 8.4.1-REL released --- (Sun Jun  8 15:11:32 PDT 2003)

1548.[port]winnt: make recv visible from libbind.

1547.[port]cope with spurious EINVAL from evRead.

1546.[cleanup]dig now reports version 8.4.

1545.[bug]getifaddrs_sun6 was broken.

1544.[port]hpux 10.20 has a broken recvfrom().  Revert to recv()
in named-xfer and work around deprecated recv() in
OSF.


1543.[bug]named failed to send notifies to servers that live
in zones it was authoritative for.


1542.[bug]set IPV6_USE_MIN_MTU on IPv6 sockets if the kernel
supports it.


1541.[bug]getifaddrs_sun6() should be a no-op on early SunOS
releases.


--- 8.4.0-REL released --- (Sun Jun  1 17:49:31 PDT 2003)
BIND 8.3.7 Release


BIND 8.3.7 is a security release of BIND 8.3.  This is expected to
be the last release of BIND 8.3 except for security issues.

The recommended version to use is BIND 9.2.3.  If for whatever
reason you must run BIND 8, use nothing earlier than 8.3.7-REL,
8.4.2-REL.  Do not under any circumstances run BIND 4.

Highlights vs. 8.3.6
Security Fix: Negative Cache Poison Fix.


Highlights vs. 8.3.5
Maintenance release.


Highlights vs. 8.3.4
Maintenance release.


Highlights vs. 8.3.3
Security Fix DoS and buffer overrun.


Highlights vs. 8.3.2
Security Fix libbind. All applications linked against libbind
need to re-linked.
'rndc restart' now preserves named's arguments


Highlights vs. BIND 8.3.1:
dig, nslookup, host and nsupdate have improved IPv6 support.


Highlights vs. BIND 8.3.0:

Critical bug fix to prevent DNS storms. If you have BIND 8.3.0 you
need to upgrade.


the distribution files are:

ftp://ftp.isc.org/isc/bind/src/8.3.7/bind-src.tar.gz
ftp://ftp.isc.org/isc/bind/src/8.3.7/bind-doc.tar.gz
ftp://ftp.isc.org/isc/bind/src/8.3.7/bind-contrib.tar.gz

the pgp signature files are:

ftp://ftp.isc.org/isc/bind/src/8.3.7/bind-src.tar.gz.asc
ftp://ftp.isc.org/isc/bind/src/8.3.7/bind-doc.tar.gz.asc
ftp://ftp.isc.org/isc/bind/src/8.3.7/bind-contrib.tar.gz.asc

the md5 checksums are:

MD5 (bind-contrib.tar.gz) = 89009ee8d937cd652a77742644772023
MD5 (bind-contrib.tar.gz.asc) = 3b91ed818771d21aa37c3ecc4685ba9d
MD5 (bind-doc.tar.gz) = b7ccbde30d8c43202eabf61a51366852
MD5 (bind-doc.tar.gz.asc) = 333f80ec3d12ef7fc27a19ba2f9a9be0
MD5 (bind-src.tar.gz) = 36cc1660eb7d73e872a1e5af6f832167
MD5 (bind-src.tar.gz.asc) = 50a45b11e12441142d6eac423c5d01c7

Windows NT / Windows 2000 binary distribution.

There will be no Windows binary release of BIND 8.3.7.
The current Windows binary release is BIND 8.4.3.


top of CHANGES says:

--- 8.3.7-REL released --- (Wed Sep  3 21:01:37 PDT 2003)

1581.[bug]apply anti-cache poison techniques to negative
answers.


--- 8.3.6-REL released --- (Sun Jun  8 15:11:32 PDT 2003)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Vulnerable

Vendor Statement

NetBSD (1.6, 1.6.1 and current) is shipping with vulnerable version of BIND 8. We will upgrade to either 8.3.7 or 8.4.2 as soon as ISC releases the info to the public. Or, users might want to use BIND 9 from pkgsrc.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nixu

Notified:  October 21, 2003 Updated:  November 20, 2003

Status

  Vulnerable

Vendor Statement

The current versions of Nixu NameSurfer are not affected by this issue as they ship with BIND 9.2.2. However, as NameSurfer Suite and NameSurfer Standard Edition also support all the earlier versions of BIND, Nixu recommends that all organizations operating an existing Nixu NameSurfer installation upgrade their visible nameservers to BIND versions 9.2.1 or newer; BIND9 is compatible with NameSurfer versions 3.0.1 or newer.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Notified:  October 21, 2003 Updated:  December 01, 2003

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

SUSE Security Announcement

Package:                bind8
Announcement-ID:        SuSE-SA:2003:047
Date:                   Friday, Nov 28th 2003 15:30 MEST
Affected products:      7.3, 8.0, 8.1, 8.2
Vulnerability Type:     cache poisoning/denial-of-service
Severity (1-10):        5
SUSE default package:   yes
Cross References:       CAN-2003-0914


Content of this advisory:
1) security vulnerability resolved:

- caching negative answers
problem description, discussion, solution and upgrade information

2) pending vulnerabilities, solutions, workarounds:
- ethereal
- KDE
- mc
- apache1/2
- gpg
- freeradius
- xscreensaver
- screen
- mod_gzip
- gnpan

3) standard appendix (further information)

______________________________________________________________________________

1)  problem description, brief discussion, solution, upgrade information

To resolve IP addresses to host and domain names and vice versa the
DNS service needs to be consulted. The most popular DNS software is
the BIND8 and BIND9 suite. The BIND8 code is vulnerable to a remote
denial-of-service attack by poisoning the cache with authoritative
negative responses that should not be accepted otherwise.
To execute this attack a name-server needs to be under malicious
control and the victim's bind8 has to query this name-server.
The attacker can set a high TTL value to keep his negative record as
long as possible in the cache of the victim. For this time the clients
of the attacked site that rely on the bind8 service will not be able
to reach the domain specified in the negative record.
These records should disappear after the time-interval (TTL) elapsed.


There is no temporary workaround for this bug.

To make this update effective run "rcnamed restart" as root please.

Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.



Intel i386 Platform:

SuSE-8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/bind8-8.3.4-64.i586.rpm
3d44d46f0e8397c69d53e96aba9fbd6d
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/bind8-8.3.4-64.i586.patch.rpm
cce1df09a0b6fb5cbbddcc462f055c64
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/bind8-8.3.4-64.src.rpm
a980a0eca79de02f135fce1cbe84ee22

SuSE-8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/bind8-8.2.4-336.i586.rpm
4a46d0560eac1ca5de77c12f8abe4952
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/bind8-8.2.4-336.i586.patch.rpm
c8020302f6f161e9d86a3f1615304a23
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/bind8-8.2.4-336.src.rpm
c9ee184cbd1f1722c94de9fd66f11801

SuSE-8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/bind8-8.2.4-334.i386.rpm
f739fdb03a7df6685e0aa026f98a0389
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/bind8-8.2.4-334.i386.patch.rpm
a3de26e06b689d29b4b4b08c04fa32f4
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/bind8-8.2.4-334.src.rpm
85d8d9fee3c8a029263777a45b4af011

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/bind8-8.2.4-334.i386.rpm
381c2b6f805ca30d0fefc98afaee9ba0
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/bind8-8.2.4-334.src.rpm
97a87469cfb573bdd89f8f3a2c02264f



Sparc Platform:

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/bind8-8.2.4-128.sparc.rpm
c08454b933ed2365d9d2ab1322803af6
source rpm(s):
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/bind8-8.2.4-128.src.rpm
827a7f56273c7a25ac40ffba728e9150



PPC Power PC Platform:

SuSE-7.3:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/bind8-8.2.4-243.ppc.rpm
12f1f205c08449e945c8ad344a8e3b41
source rpm(s):
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/bind8-8.2.4-243.src.rpm
177093e76b3b8d2679089a1ab1c46d0e

______________________________________________________________________________

2)  Pending vulnerabilities in SUSE Distributions and Workarounds:

- ethereal
A new official version of ethereal, a network traffic analyzer, was
released to fix various security-related problems.
An update package is currently being tested and will be released
as soon as possible.


- KDE
New KDE packages are currently being tested. These packages fixes
several vulnerabilities:

+ remote root compromise (CAN-2003-0690)
+ weak cookies (CAN-2003-0692)
+ SSL man-in-the-middle attack
+ information leak through HTML-referrer (CAN-2003-0459)
+ wrong file permissions of config files

The packages will be release as soon as testing is finished.

- mc
By using a special combination of links in archive-files it is possible
to execute arbitrary commands while mc tries to open it in its VFS.
The packages are currently tested and will be release as soon as
possible.


- apache1/2
The widely used HTTP server apache has several security vulnerabilities:

- locally exploitable buffer overflow in the regular expression code.
The attacker must be able to modify .htaccess or httpd.conf.
(affects: mod_alias and mod_rewrite)

- under some circumstances mod_cgid will output its data to the
wrong client (affects: apache2)

The new packages are available on our FTP servers.


- gpg
In GnuPG version 1.0.2 a new code for ElGamal was introduced.
This code leads to an attack on users who use ElGamal keys for
signing. It is possible to reconstruct the private ElGamal key
by analyzing a public ElGamal signature.
Please note that the ElGamal algorithm is seldomly used and GnuPG
displays several warnings when generating ElGamal signature keys.
The default key generation process in GnuPG will create a DSA signature
key and an ElGamal subkey for _encryption only_. These keys are not
affected by this vulnerability.
Anyone using ElGamal signature keys (type 20, check fourth field of
"gpg --list-keys --with-colon" output) should revoke them.


- freeradius
Two vulnerabilities were found in the FreeRADIUS package.
The remote denial-of-service attack bug was fixed and new packages
will be released as soon as testing was successfully finished.
The other bug is a remote buffer overflow in the module rlm_smb.
We do not ship this module and will fix it for future releases.


- xscreensaver
The well known screen-saver for X is vulnerable to several local
tmp file attacks as well as a crash when verifying a password.
Only SuSE Linux 9.0 products are affected.
The new packages are available on our FTP servers.


- screen
A buffer overflow in screen was reported. Since SuSE Linux 8.0
we do not ship screen with the s-bit anymore. An update package
will be released for 7.3 as soon as possible.


- mod_gzip
The apache module mod_gzip is vulnerable to remote code execution
while running in debug-mode. We do not ship this module in debug-mode
but future versions will include the fix.


- gnpan
A remote denial-of-service attack can be run against the GNOME
news-reader program gnpan. This bug affects SuSE Linux 8.0, 8.1, 8.2.
Update packages are available on our FTP servers.


______________________________________________________________________________

3)  standard appendix: authenticity verification, additional information

- Package authenticity verification:

SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.


1) execute the command
md5sum <name-of-the-file.rpm>

after you downloaded the file from a SUSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key security@suse.de),
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
list software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.


2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command

rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an un-installed rpm
package file.
Prerequisites:

a) gpg is installed
b) The package is signed using a certain key. The public part of this

key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SUSE in rpm packages for SUSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):

gpg --batch; gpg < announcement.txt | gpg --import
SUSE Linux distributions version 7.1 and thereafter install the
key "build@suse.de" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the top-level directory of the first CD (pubring.gpg)
and at
ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .


- SUSE runs two security mailing lists to which any interested party may
subscribe:


suse-security@suse.com
-   general/linux/SUSE security discussion.

All SUSE security announcements are sent to this list.
To subscribe, send an email to

<suse-security-subscribe@suse.com>.

suse-security-announce@suse.com
-   SUSE's announce-only mailing list.

Only SUSE's security announcements are sent to this list.
To subscribe, send an email to

<suse-security-announce-subscribe@suse.com>.

For general information or the frequently asked questions (faq)
send mail to:

<suse-security-info@suse.com> or
<suse-security-faq@suse.com> respectively.


=====================================================================
SUSE's security contact is <security@suse.com> or <security@suse.de>.
The <security@suse.de> public key is listed below.
=====================================================================

______________________________________________________________________________

The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the clear-text signature shows proof of the
authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.


Type Bits/KeyID    Date       User ID
pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see
http://www.gnupg.org

mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH

ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iQEVAwUBP8dgT3ey5gA9JdPZAQH5LQf+MA/cLvB14QAZFTXwtqB2tNpcotkmJyF8
oWbsWl7EnsF6hlR7tr3Hjk2bvpzE8yLShtckMvtVAy1Xj29fvWpHjtZM1TEfjWSk
XgxeJ4n5HvKMjyOYopNgdbdQCvcr8v4eWjVA9ekK/WXikIXRWsiN9PhT6c0NQxfA
tO7zHQYHhGwH4jae8aD6EPWJhc1sLzQMC4XCkFxIFlZouAtVr7rShDNUamKcaV63
5c1uhewBorqfD7o8x85OCXcAA9WEnEs7t/mJnHC0hLgYF259YxX3HtXrj18jnD8/
YvVnzfkQwDxRY3qALRjAfd05QGOGir75fSBCtofP2lDPg8igRFo8UQ==
=fX7r
-----END PGP SIGNATURE-----

Bye,
Thomas

--
Thomas Biege <thomas@suse.de>, SUSE LINUX AG, Security Support & Auditing

"lynx -source http://www.suse.de/~thomas/contact/thomas.asc | pgp -fka"
Key fingerprint = 51 AD B9 C7 34 FC F2 54  01 4A 1C D4 66 64 09 83

--
... stay with me, safe and ignorant, go back to sleep...

- Maynard James Keenan

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  October 21, 2003 Updated:  December 01, 2003

Status

  Vulnerable

Vendor Statement

All supported releases of Solaris (ie Solaris 7, 8 and 9)
are affected by this issue. We have published a Sun Alert which is
available from:
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/57434

It describes a possible workaround that can be used until official patches
are released.

Supported Cobalt platforms and Sun Linux 5.0 are also affected. A Sun
Alert will be published and will be available from:
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO UnixWare)

Notified:  October 21, 2003 Updated:  December 03, 2003

Status

  Vulnerable

Vendor Statement

UnixWare 7.1.3: Unaffected current version of bind is 9.2.1.
Open UNIX 8.0.0 (aka UnixWare 7.1.2) Unaffected current version of bind is 9.2.0.
UnixWare 7.1.1: Affected. Fix will be at

OpenServer: fix in-progress

OpenLinux: also fix in-progress

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

SCO Security Advisory

Subject:UnixWare 7.1.1 : Bind: cache poisoning BIND 8 prior to 8.3.7 and BIND 8.4.x prior 8.4.2
Advisory number: CSSA-2003-SCO.33
Issue date: 2003 December 01
Cross reference: sr886768 fz528464 erg712479 CAN-2003-0914
______________________________________________________________________________


1. Problem Description

UnixWare 7.1.3 is unaffected by this issue because the
version of bind included in UnixWare 7.1.3 is 9.2.1.


Open UNIX is also unaffected by this issue because the version
of bind in Open UNIX 8.0.0 is 9.1.0.


CERT/CC Incident Note VU#734644

BIND is an implementation of the Domain Name System (DNS)
protocols. Successful exploitation of this vulnerability
may result in a temporary denial of service.


The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2003-0914 to this issue.



2. Vulnerable Supported Versions

SystemBinaries
----------------------------------------------------------------------
UnixWare 7.1.1 /usr/sbin/addr

/usr/sbin/dig
/usr/sbin/dnskeygen
/usr/sbin/dnsquery
/usr/sbin/host
/usr/sbin/in.named
/usr/sbin/irpd
/usr/sbin/mkservdb
/usr/sbin/named-bootconf
/usr/sbin/named-bootconf.pl
/usr/sbin/named-xfer
/usr/sbin/ndc
/usr/sbin/nslookup
/usr/sbin/nsupdate


3. Solution

The proper solution is to install the latest packages.


4. UnixWare 7.1.1

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.33


4.2 Verification

MD5 (erg712479.Z) = c1faea2a6a1da952e88c5123f88a2f89

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools



4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

Unknown installation method


5. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0914


SCO security resources:
http://www.sco.com/support/security/index.html


This security fix closes SCO incidents sr886768 fz528464
erg712479.



6. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SCO/UNIX_SVR5)

iD8DBQE/y8gZaqoBO7ipriERAkRQAKCQ+f4Q5Etfz8L83tr/vGGRzI1kYQCgl/hK
g7YQSKd9TDnf59KkuFTbrBQ=
=XyVk
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux

Updated:  December 01, 2003

Status

  Vulnerable

Vendor Statement

Please see http://www.trustix.org/errata/misc/2003/TSL-2003-0044-bind.asc.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2003-0044

Package name:      bind
Summary:           negative cache sec. fix
Date:              2003-11-27
Affected versions: TSL 1.2, 1.5

- --------------------------------------------------------------------------
Package description:

BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain
Name System) protocols. BIND includes a DNS server (named), which resolves
host names to IP addresses, and a resolver library (routines for applications
to use when interfacing with DNS). A DNS server allows clients to name
resources or objects and share the information with other network machines.
The named DNS server can be used on workstations as a caching name server,
but is generally only needed on one machine for an entire network. Note that
the configuration files for making BIND act as a simple caching nameserver
are included in the caching-nameserver package.Install the bind package if
you need a DNS server for your network. If you want bind to act a caching
name server, you will also need to install the caching-nameserver package.


Problem description:
According the the bind announcment dated Thu, 27 Nov 2003, the new upstream
bind 8.3.7 fixes a security problem:


Security Fix: Negative Cache Poison Fix.

This issue has been addressed in these updates.


Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.



Location:
All TSL updates are available from
<URI:
http://http.trustix.org/pub/trustix/updates/>
<URI:
ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.



Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.



Public testing:
These packages have been available for public testing for some time.
If you want to contribute by testing the various packages in the
testing tree, please feel free to share your findings on the
tsl-discuss mailinglist.
The testing tree is located at
<URI:
http://tsldev.trustix.org/cloud/>

You may also use swup for public testing of updates:

site {
class = 0
location = "
http://tsldev.trustix.org/cloud/rdfs/latest.rdf"
regexp = ".*"

}


Questions?
Check out our mailing lists:
<URI:
http://www.trustix.org/support/>


Verification:
This advisory along with all TSL packages are signed with the TSL sign key.
This key is available from:
<URI:
http://www.trustix.org/TSL-SIGN-KEY>

The advisory itself is available from the errata pages at
<URI:
http://www.trustix.org/errata/trustix-1.2/> and
<URI:
http://www.trustix.org/errata/trustix-1.5/>
or directly at
<URI:
http://www.trustix.org/errata/misc/2003/TSL-2003-0044-bind.asc.txt>


MD5sums of the packages:
- --------------------------------------------------------------------------
0e109cf7c3ec04f6adfbd3dddcbc94d3  ./1.5/srpms/bind-8.2.6-3tr.src.rpm
b353b0517f50b18c6f2bb180151ad671  ./1.5/rpms/bind-utils-8.2.6-3tr.i586.rpm
872ed56a159fa9e8404e30c6f6afdce0  ./1.5/rpms/bind-devel-8.2.6-3tr.i586.rpm
ade76318032b7a95f2426edcf10e75a8  ./1.5/rpms/bind-8.2.6-3tr.i586.rpm
0e109cf7c3ec04f6adfbd3dddcbc94d3  ./1.2/srpms/bind-8.2.6-3tr.src.rpm
dd01d1afce4afd60b08857706f2150ee  ./1.2/rpms/bind-utils-8.2.6-3tr.i586.rpm
590118f78a8cddbaf8dc8c142ef57cb3  ./1.2/rpms/bind-devel-8.2.6-3tr.i586.rpm
ca631fbe974a6926c8ba32b46c3ac7d4  ./1.2/rpms/bind-8.2.6-3tr.i586.rpm
- --------------------------------------------------------------------------


TSL Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/xcQCi8CEzsK9IksRArTyAKCpbt7Z0zr7l/liVtKbiuGOQjBBXACgk74q
RpVcOV3YngzwUxZcJLdDuls=
=PazY
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Check Point

Notified:  October 21, 2003 Updated:  October 27, 2003

Status

  Not Vulnerable

Vendor Statement

Check Point products are not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Not Vulnerable

Vendor Statement

Cray Inc. is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Notified:  October 21, 2003 Updated:  November 25, 2003

Status

  Not Vulnerable

Vendor Statement

Hitachi HI-UX/WE2 is NOT Vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks

Notified:  October 21, 2003 Updated:  December 03, 2003

Status

  Not Vulnerable

Vendor Statement

No Juniper Networks products contain this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Not Vulnerable

Vendor Statement

No MandrakeSoft products are affected by this as we ship BIND9 in all of our products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nominum

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Not Vulnerable

Vendor Statement

Nominum products are not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Not Vulnerable

Vendor Statement

Red Hat ships Bind 9 in all our supported distributions and therefore we are not affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Not Vulnerable

Vendor Statement

SGI acknowledges VU#734644 reported by CERT and has determined that both SGI IRIX for MIPS systems and SGI ProPack Linux for Altix (IA64) are not vulnerable as BIND 8 does not ship with SGI IRIX or ProPack.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

adns

Notified:  October 21, 2003 Updated:  November 20, 2003

Status

  Not Vulnerable

Vendor Statement

adns is not a nameserver and has no cache. It is not vulnerable to these kinds of problems.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI

Notified:  October 21, 2003 Updated:  October 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BlueCat Networks

Notified:  October 21, 2003 Updated:  October 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Notified:  October 21, 2003 Updated:  October 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  October 21, 2003 Updated:  October 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

EMC Corporation

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM eServer

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Unknown

Vendor Statement

IBM eServer Platform Response

For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to
https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=3D

In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to http://app-06.www.ibm.com/servers/resourcelink and follow the steps for registration.

All questions should be referred to servsec@us.ibm.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lucent Technologies

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Men&Mice

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MetaSolv Software Inc.

Notified:  October 21, 2003 Updated:  October 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software

Notified:  October 21, 2003 Updated:  October 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  October 21, 2003 Updated:  October 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia

Notified:  October 21, 2003 Updated:  October 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell

Notified:  November 17, 2003 Updated:  November 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  October 21, 2003 Updated:  October 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  October 21, 2003 Updated:  October 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux)

Notified:  October 21, 2003 Updated:  October 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  October 21, 2003 Updated:  October 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Inc.

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wirex

Notified:  October 21, 2003 Updated:  November 17, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The CERT/CC thanks the Internet Software Consortium for bringing this vulnerability to our attention.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: CVE-2003-0914
Severity Metric: 1.50
Date Public: 2003-11-26
Date First Published: 2003-12-01
Date Last Updated: 2004-01-05 00:30 UTC
Document Revision: 40

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.