---------- Forwarded message ---------- Date: Thu, 14 Nov 2002 19:12:41 -0700 From: Todd C. Miller <Todd.Miller@courtesan.com> To: security-announce@openbsd.org Subject: patch for named buffer overflow now available A patch for the named buffer overflow is now available. The bug could allow an attacker to execute code as the user that named runs as. In the default OpenBSD named configuration, named runs as its own, non-root, user in a chrooted jail. This lessens the impact of the bug to the level of a denial of service. Anyone not running named chrooted should start to do so immediately. For more information on the bug, please see: http://www.isc.org/products/BIND/bind-security.html http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469 The fix has been committed to OpenBSD-current as well as to the 3.2, 3.1 and 3.0 -stable branches. The following patches are also available for OpenBSD 3.2, 3.1 and 3.0 respectively: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/005_named.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/019_named.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/036_named.patch
