oss-security - Re: a new bind issue

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <1514102384.696821259088010479.JavaMail.root@zmail01.collab.prod.int.phx2.redhat.com>
Date: Tue, 24 Nov 2009 13:40:10 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: a new bind issue

CVE-2009-4022

Bind versions 9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 before 9.4.3-P3, 9.5.0,
9.5.1, 9.5.2, 9.6.0, 9.6.1-P1

References:
https://www.isc.org/node/504
http://www.kb.cert.org/vuls/id/418861
https://bugzilla.redhat.com/show_bug.cgi?id=538744

Thanks.

-- 
    JB

----- "Oden Eriksson" <oeriksson@...driva.com> wrote:

> Hello.
> 
> A new bind release is out there, it mentions:
> 
> "It addresses a potential cache poisoning vulnerability, in which data
> in the 
> additional section of a response could be cached without proper DNSSEC
> 
> validation."
> 
> "2772.   [security]      When validating, track whether pending data
> was from
>                         the additional section or not and only return
> it if
>                         validates as secure. [RT #20438]"
> 
> 
> A CVE should probably be assigned.
> 
> 
> -- 
> Regards // Oden Eriksson
> Security team manager - Mandriva

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.