Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [month] [year] [list] 
Date: Fri, 9 Oct 2009 16:35:03 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org
Subject: Re: CVE request: Unbound


----- "Florian Weimer" <fw@...eb.enyo.de> wrote:

> Unbound before 1.3.4 does not check the signatures on NSEC3 records
> under unspecified conditions, enabling attackers who can perform DNS
> spoofing to downgrade existing secure delegations to insecure status,
> which then can be targeted in further spoofing attacks.
> 
> <http://unbound.net/pipermail/unbound-users/2009-October/000852.html>
> 
> (Older versions, back to 1.0.x, are also affected.)

Steve Christey asked me to assign CVE ids for oss-security requests for a bit,
so don't think it odd when I keep replying to these.

Please use CVE-2009-3602 for this.

Thanks

-- 
    JB

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ