-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : bind SUMMARY : Remote vulnerabilities in the BIND DNS server DATE : 2002-11-14 15:36:00 ID : CLA-2002:546 RELEVANT RELEASES : 6.0 - ------------------------------------------------------------------------- DESCRIPTION "bind" is probably the most used DNS server on the internet. ISS reported[7] buffer overflow and denial of service vulnerabilities in some versions of the BIND software. The most dangerous one, the buffer overflow, could be used by remote attacker to execute arbitrary code on the server with the privileges of the user running the "named" process. The vulnerabilities explained below affect BIND as shipped with Conectiva Linux 6.0. Conectiva Linux 7.0 and 8 already ship BIND 9.x, which is not vulnerable to the problems reported by ISS. 1) Buffer overflow (CAN-2002-1219) [5] An attacker who can make a vulnerable BIND server make recursive queries to a domain that he (the attacker) controls can exploit this vulnerability and execute arbitrary code on the server with the same privileges as the "named" process. The BIND packages in Conectiva Linux run the "named" process with an unprivileged user, and not root, which mitigates the impact of this vulnerability somewhat, requiring that the attacker take further steps to obtain root access. Additionally, there is the bind-chroot package which, if used, runs the server in a chroot area under /var/named which imposes an additional restriction on the actions a potential intruder can take. 2) Denial of service (CAN-2002-1221) [6] The BIND server can be triggered into attempting a NULL pointer dereference which will terminate the service. This can be caused by a remote attacker who controls a DNS server authoritative for some domain queried by the vulnerable BIND server. The packages available through this advisory were built with patches that were made publicly available[3] by ISC less than 24 hours ago. Conectiva Linux and the majority of other GNU/Linux distributions were notified about this vulnerability (but with not enough details to produce a patch) about 12 hours before ISS made it public[7]. We are worried about the way in which this whole incident has been handled, specially when considering that DNS is part of the internet infrastructure and thus a vital service. We, and many vendors, do believe in what is commonly called "responsible full disclosure"[8], where all details about a vulnerability are made public after all vendors were notified in advance and have had a reasonable amount of time to prepare and test updated packages. We believe this to be the most secure and responsible method for disclosing vulnerabilities. SOLUTION All BIND users should upgrade immediately. After the upgrade, the named service will be automatically restarted if needed. If it is not possible to upgrade the packages immediately, users should disable recursive queries or restrict them. Disabling recursive queries can be done by the "recursion no;" parameter in the options section of the named.conf configuration file. Restricting access to such queries can be accomplished via the "allow-recursion" directive in the same configuration file. REFERENCES 1.http://www.isc.org/ 2.http://www.cert.org/advisories/CA-2002-31.html 3.http://www.isc.org/products/BIND/patches/bind826.diff 4.http://www.isc.org/products/BIND/bind-security.html 5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1219 6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1221 7.https://gtoc.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469 8.http://distro.conectiva.com.br/seguranca/problemas/?idioma=en DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/bind-8.2.6-1U60_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/bind-chroot-8.2.6-1U60_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-8.2.6-1U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-chroot-8.2.6-1U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-8.2.6-1U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-static-8.2.6-1U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-doc-8.2.6-1U60_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-utils-8.2.6-1U60_2cl.i386.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - add the following line to /etc/apt/sources.list if it is not there yet (you may also use linuxconf to do this): rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates (replace 6.0 with the correct version number if you are not running CL6.0) - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9099O42jd0JmAcZARAiZGAKDMz0e8eiF+0Zws8sQkvkE5NcHKywCg24tc ixMwRpolJ8skSz3KyrLfVjM= =Smdc -----END PGP SIGNATURE-----
