-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:149 http://www.mandriva.com/security/ _______________________________________________________________________ Package : bind Date : December 31, 1969 Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: The DNS query id generation code in BIND9 is vulnerable to cryptographic analysis which provides a 1-in-8 change of guessing the next query ID for 50% of the query IDs, which could be used by a remote attacker to perform cache poisoning by an attacker (CVE-2007-2926). As well, in BIND9 9.4.x, the default ACLs were note being correctly set, which could allow anyone to make recursive queries and/or query the cache contents (CVE-2007-2925). This update provides packages which are patched to prevent these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926 http://www.isc.org/index.pl?/sw/bind/bind-security.php _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 2ebbd9a8148b7b4f05d255724627e348 2007.0/i586/bind-9.3.2-8.3mdv2007.0.i586.rpm 386aa2bab5b3e23cb0c6f19bc17b0cd5 2007.0/i586/bind-devel-9.3.2-8.3mdv2007.0.i586.rpm d8e4b592f2d0fa630e32c23c50ab2565 2007.0/i586/bind-utils-9.3.2-8.3mdv2007.0.i586.rpm 557c41948b1ff0e4f329e2592c0dcb9f 2007.0/SRPMS/bind-9.3.2-8.3mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 7fe09bf456f8a4d83ee7e4caad08b791 2007.0/x86_64/bind-9.3.2-8.3mdv2007.0.x86_64.rpm e5d4a371c47e6a6f6567c454766ea734 2007.0/x86_64/bind-devel-9.3.2-8.3mdv2007.0.x86_64.rpm 5a41c963b1e5fab7515856f14ec4c3c4 2007.0/x86_64/bind-utils-9.3.2-8.3mdv2007.0.x86_64.rpm 557c41948b1ff0e4f329e2592c0dcb9f 2007.0/SRPMS/bind-9.3.2-8.3mdv2007.0.src.rpm Mandriva Linux 2007.1: c5edcec0bc385a1a2c717963b0f15dc0 2007.1/i586/bind-9.4.1-0.2mdv2007.1.i586.rpm 9c579fed148a85a852b73828613cafde 2007.1/i586/bind-devel-9.4.1-0.2mdv2007.1.i586.rpm 9a761cb0c7128b83522934b2d9cc2dfc 2007.1/i586/bind-utils-9.4.1-0.2mdv2007.1.i586.rpm af14ae7948a33b1bf21d9bcafbf0e98e 2007.1/SRPMS/bind-9.4.1-0.2mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 7a612949e7810f83e1322a574be9500c 2007.1/x86_64/bind-9.4.1-0.2mdv2007.1.x86_64.rpm ece5e802b3d5928999c34b1f9c95dfc8 2007.1/x86_64/bind-devel-9.4.1-0.2mdv2007.1.x86_64.rpm b3ccec62bfc5d07b9858f04ce8de8fd1 2007.1/x86_64/bind-utils-9.4.1-0.2mdv2007.1.x86_64.rpm af14ae7948a33b1bf21d9bcafbf0e98e 2007.1/SRPMS/bind-9.4.1-0.2mdv2007.1.src.rpm Corporate 3.0: d0dae82e4a5f3e1e4c13c8886daa7e7b corporate/3.0/i586/bind-9.2.3-6.4.C30mdk.i586.rpm 237a8a3b0d0f3407a93a7f308eb7ac06 corporate/3.0/i586/bind-devel-9.2.3-6.4.C30mdk.i586.rpm abcf17e76c7cdf8ec8e6bbef2adfd79c corporate/3.0/i586/bind-utils-9.2.3-6.4.C30mdk.i586.rpm bf83bec867df0283d4977e50b8a51a09 corporate/3.0/SRPMS/bind-9.2.3-6.4.C30mdk.src.rpm Corporate 3.0/X86_64: 1394468eeb12fb9c2c52147eb1637a83 corporate/3.0/x86_64/bind-9.2.3-6.4.C30mdk.x86_64.rpm cd488003e8eb7174aa844896ace756f2 corporate/3.0/x86_64/bind-devel-9.2.3-6.4.C30mdk.x86_64.rpm f2fb153097f51bc2e99e31051b8b83cb corporate/3.0/x86_64/bind-utils-9.2.3-6.4.C30mdk.x86_64.rpm bf83bec867df0283d4977e50b8a51a09 corporate/3.0/SRPMS/bind-9.2.3-6.4.C30mdk.src.rpm Corporate 4.0: 324fe3327eada40144bf44b4a31ba869 corporate/4.0/i586/bind-9.3.2-7.3.20060mlcs4.i586.rpm c2f1b22c3edd38f9a8c87d96ca36b271 corporate/4.0/i586/bind-devel-9.3.2-7.3.20060mlcs4.i586.rpm 6f1cc8352c44a5ecf3affaf86981d505 corporate/4.0/i586/bind-utils-9.3.2-7.3.20060mlcs4.i586.rpm e36c4caca840fb114238bffa3875e8a5 corporate/4.0/SRPMS/bind-9.3.2-7.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: c7a8dfd717b9a09d8dc41a3cb965dc5b corporate/4.0/x86_64/bind-9.3.2-7.3.20060mlcs4.x86_64.rpm 138e7372d556d5d9e4752fd8b0f2a51f corporate/4.0/x86_64/bind-devel-9.3.2-7.3.20060mlcs4.x86_64.rpm bea2637f03f65bb5348518be66829d73 corporate/4.0/x86_64/bind-utils-9.3.2-7.3.20060mlcs4.x86_64.rpm e36c4caca840fb114238bffa3875e8a5 corporate/4.0/SRPMS/bind-9.3.2-7.3.20060mlcs4.src.rpm Multi Network Firewall 2.0: 518dcd7390cbb5e05d2303ca1743c793 mnf/2.0/i586/bind-9.2.3-6.4.M20mdk.i586.rpm 22b28fe7739525ac2fe596a522473c32 mnf/2.0/i586/bind-devel-9.2.3-6.4.M20mdk.i586.rpm a6cb4e78f4f0f59a173ac58abd50011c mnf/2.0/i586/bind-utils-9.2.3-6.4.M20mdk.i586.rpm 00a33a7531bbf5bad6d74bb9f3978a78 mnf/2.0/SRPMS/bind-9.2.3-6.4.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGp5JimqjQ0CJFipgRAqD6AJ9OTBYJpKC/KgUUCTznXm0MpPuWTQCfcVP9 ZQO+2o8wd82rf9m4/arm09M= =vTH7 -----END PGP SIGNATURE-----