Follow @Openwall on Twitter for new release announcements and other news

Security patch for the one true BIND 4.9.x (historical)

Although we do not recommend it, some sites may prefer to continue using the deprecated BIND 4.x for whatever weird reasons rather than upgrade to 8.x or 9.x. Unfortunately, some security features (running as a non-root user and in a chrooted environment) were in 8.x+ only. This patch makes these available back in 4.x (well, with some changes) and adds OpenBSD-style random IDs (the implementation differs, though).

You can read instructions on setting up the jail.

Download:

These files are also available from the Openwall file archive.

Follow this link for information on verifying the signatures.

November 14, 2002
Additional BIND vulnerabilities have been discovered by ISS, affecting both the DNS server and the resolver library. BIND 4.9.10-OW2 includes the patch provided by ISC and is likely to become 4.9.11-OW1 once BIND 4.9.11 is officially released.

October 1, 2002
BIND 4.9.10 and 4.9.10-OW1 have been released and fix a read beyond end of buffer vulnerability in the resolver library. The impact is believed to be very minor (if any). The DNS server itself (named) is unaffected. You can refer to the CERT Vulnerability Note for more information.

June 29, 2002
Joost Pol of PINE-CERT has discovered a vulnerability in the resolver library code used on *BSD (as well as on a number of other systems, including those based around the GNU C library prior to version 2.1.3) and included with BIND. The vulnerability affects applications and BIND tools that use the vulnerable library code. The BIND DNS server itself (named) is unaffected. You can refer to CERT advisory CA-2002-19 for more information.

The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for this vulnerability, originally developed by Jun-ichiro itojun Hagino of NetBSD.

Note that in order to make use of the fixes you need to rebuild all applications that are statically linked against and make use of the BIND-provided resolver routines.

January 29, 2001
COVERT Labs at PGP Security has published a security advisory on a number of BIND vulnerabilities. Unfortunately, they've since taken the advisory offline. However, you can still see the corresponding CERT advisory CA-2001-02.

The BIND 4.9.7-OW5 patch contains fixes for the two most critical vulnerabilities (known as "infoleak" and "complain bug") that affect BIND 4.9.7. Older released versions of the BIND 4.9.7-OW patches didn't include these fixes and should be upgraded to at least 4.9.7-OW5 (the -OW patches, when used properly, reduced the impact of the "complain bug" vulnerability, though).

The BIND 4.9.8-OW1 patch no longer needs the "infoleak" and "complain bug" fixes (as these bugs are fixed in the 4.9.8 release), but adds a back-port of two fixes from BIND 8.2.2-P3+ (to the "naptr" and "maxdname" bugs, which are believed to be relatively minor and thus were not fixed in deprecated BIND versions including BIND 4).

Quick Comment:

152069