Debian alert: New BIND packages fix several vulnerabilities

Posted by dave on Nov 14, 2002 8:04 AM EDT
Mailing list
Mail this story
Print this story

[Bind version 9, the bind9 package, is not affected by these problems.]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 196-1                     security@debian.org
http://www.debian.org/security/                          Daniel Jacobowitz
November 14th, 2002                     http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : bind
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE Id         : CAN-2002-1219 CAN-2002-1220 CAN-2002-1221
CERT advisory  : VU#844360 VU#852283 VU#229595 VU#542971

[Bind version 9, the bind9 package, is not affected by these problems.]

ISS X-Force has discovered several serious vulnerabilities in the Berkeley
Internet Name Domain Server (BIND).  BIND is the most common implementation
of the DNS (Domain Name Service) protocol, which is used on the vast
majority of DNS servers on the Internet.  DNS is a vital Internet protocol
that maintains a database of easy-to-remember domain names (host names) and
their corresponding numerical IP addresses.

Circumstancial evidence suggests that the Internet Software Consortium
(ISC), maintainers of BIND, was made aware of these issues in mid-October.
Distributors of Open Source operating systems, including Debian, were
notified of these vulnerabilities via CERT about 12 hours before the release
of the advisories on November 12th.  This notification did not include any
details that allowed us to identify the vulnerable code, much less prepare
timely fixes.

Unfortunately ISS and the ISC released their security advisories with only
descriptions of the vulnerabilities, without any patches.  Even though there
were no signs that these exploits are known to the black-hat community, and
there were no reports of active attacks, such attacks could have been
developed in the meantime - with no fixes available.

We can all express our regret at the inability of the ironically named
Internet Software Consortium to work with the Internet community in handling
this problem.  Hopefully this will not become a model for dealing with
security issues in the future.

The Common Vulnerabilities and Exposures (CVE) project identified the
following vulnerabilities:

1. CAN-2002-1219: A buffer overflow in BIND 8 versions 8.3.3 and earlier
   allows a remote attacker to execute arbitrary code via a certain DNS
   server response containing SIG resource records (RR).  This buffer
   overflow can be exploited to obtain access to the victim host under the
   account the named process is running with, usually root.

2. CAN-2002-1220: BIND 8 versions 8.3.x through 8.3.3 allows a remote
   attacker to cause a denial of service (termination due to assertion
   failure) via a request for a subdomain that does not exist, with an OPT
   resource record with a large UDP payload size.

3. CAN-2002-1221: BIND 8 versions 8.x through 8.3.3 allows a remote attacker
   to cause a denial of service (crash) via SIG RR elements with invalid
   expiry times, which are removed from the internal BIND database and later
   cause a null dereference.

These problems have been fixed in version 8.3.3-2.0woody1 for the current
stable distribution (woody), in 8.2.3-0.potato.3 for the previous stable
distribution (potato) and in version 8.3.3-3 for the unstable distribution
(sid).  The fixed packages for unstable will enter the archive today.

We recommend that you upgrade your bind package immediately, update to
bind9, or switch to another DNS server implementation.

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 2.2 (oldstable)
- ----------------------

  Oldstable was released for alpha, arm, i386, m68k, powerpc and sparc.

  Source archives:

    http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3.dsc
      Size/MD5 checksum:      630 98f61786fa959c589c0a651868a622f9
    http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3.diff.gz
      Size/MD5 checksum:   162301 be163758728858c77dbee6ae67f9a5d5
    http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3.orig.tar.gz
      Size/MD5 checksum:  2610779 46b88bbdb1487951ddad41f42d96e913

  Architecture independent packages:

    http://security.debian.org/pool/updates/main/b/bind/task-dns-server_8.2.3-0.potato.3_all.deb
      Size/MD5 checksum:    11784 e75edf3668a5e402a1786ead21dfa2c2
    http://security.debian.org/pool/updates/main/b/bind/bind-doc_8.2.3-0.potato.3_all.deb
      Size/MD5 checksum:  1205360 c238cea2c548ce03599948fa94aa2e7d

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_alpha.deb
      Size/MD5 checksum:   430518 538b677dcb4df6c0ef601663ff9cf3e7
    http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_alpha.deb
      Size/MD5 checksum:   757704 9f075c3e03d36c393fbeeaf2f5a7b10a
    http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_alpha.deb
      Size/MD5 checksum:   450254 c811eda1f1a8212d17d9beeafc892858

  arm architecture (ARM)

    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_arm.deb
      Size/MD5 checksum:   348888 b53e413cdd06f1fa422e27e7f318deb9
    http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_arm.deb
      Size/MD5 checksum:   354084 63004fdf3b7babf014e4b55d18f21be0
    http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_arm.deb
      Size/MD5 checksum:   600964 e14cf9feb989058dfce82e42b112c09a

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_i386.deb
      Size/MD5 checksum:   340444 31b08eaeb38c0df2ed1cb6cb6fa3f5de
    http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_i386.deb
      Size/MD5 checksum:   572016 540d025d851c207596f02f293d32dbca
    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_i386.deb
      Size/MD5 checksum:   309622 476724d25b348bdfa3f314bf8777e05a

  m68k architecture (Motorola Mc680x0)

    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_m68k.deb
      Size/MD5 checksum:   292776 8a6434791431dfb571516650b84d68e1
    http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_m68k.deb
      Size/MD5 checksum:   310122 696bb7556163e30bfd39d3798c2ba094
    http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_m68k.deb
      Size/MD5 checksum:   520006 ff5bb2578be770dcaa209fc9f28e66ae

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_powerpc.deb
      Size/MD5 checksum:   617500 15b7bc50fa768046c504a03ddafec602
    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_powerpc.deb
      Size/MD5 checksum:   376410 0305a064cb99e0c8a6946c8f33fcdc0c
    http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_powerpc.deb
      Size/MD5 checksum:   371218 7dea62489269317b588df637e5b40298

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_sparc.deb
      Size/MD5 checksum:   607994 05807466ad228e965b60daeaeb8b3738
    http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_sparc.deb
      Size/MD5 checksum:   368582 6dec11c8f07deb83622632e99875d601
    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_sparc.deb
      Size/MD5 checksum:   335440 51a7f16483360f834f19577def32198f

Debian 3.0 (stable)
- -------------------

  Stable was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

  Source archives:

    http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1.dsc
      Size/MD5 checksum:      639 0a65835e20faaba4f351b34330b7aa2c
    http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1.diff.gz
      Size/MD5 checksum:    31430 d7ff2bae2f2233c0a6588fbea3dd9964
    http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3.orig.tar.gz
      Size/MD5 checksum:  2713120 847ba93d1ac71b94560c002c9f730100

  Architecture independent packages:

    http://security.debian.org/pool/updates/main/b/bind/bind-doc_8.3.3-2.0woody1_all.deb
      Size/MD5 checksum:  1290726 0634671f5432f7a8c348e9624e64d349

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_alpha.deb
      Size/MD5 checksum:   999188 f2b729eb9f85b55d8a71db3e44db825a
    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_alpha.deb
      Size/MD5 checksum:   509272 402cd93961d836a8e4cf491655ae0a29

  arm architecture (ARM)

    http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_arm.deb
      Size/MD5 checksum:   826484 2a2abd103a460071f380ac501de6ee63
    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_arm.deb
      Size/MD5 checksum:   426982 657a181d3781da2db5e434c1199c7628

  hppa architecture (HP PA RISC)

    http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_hppa.deb
      Size/MD5 checksum:   921372 6193f53e7d6f676ab306ffb81b4df10d
    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_hppa.deb
      Size/MD5 checksum:   475096 a948f910047cbad89d1c7ff26faacfae

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_i386.deb
      Size/MD5 checksum:   381878 12c0435300e4a879037895d3bb7f2ddc
    http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_i386.deb
      Size/MD5 checksum:   793562 27e5c151a7acda692fc332f4db9ce218

  ia64 architecture (Intel ia64)

    http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_ia64.deb
      Size/MD5 checksum:  1285738 5a72e98954d09e5cf3c5caaaf05f5f34
    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_ia64.deb
      Size/MD5 checksum:   575798 bfc630343fc7a88f5ce005e387ee9639

  m68k architecture (Motorola Mc680x0)

    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_m68k.deb
      Size/MD5 checksum:   362654 c6712c1d7f17daab556dbfe4a1823b99
    http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_m68k.deb
      Size/MD5 checksum:   720556 67e91d9890a14be213407ecc8c993bab

  mips architecture (MIPS (Big Endian))

    http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_mips.deb
      Size/MD5 checksum:   926866 c76bc7407b6c67b507ab5cd33a4618e1
    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_mips.deb
      Size/MD5 checksum:   469762 75e3f4d14f742fa2fb44e0d4c9b7623d

  mipsel architecture (MIPS (Little Endian))

    http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_mipsel.deb
      Size/MD5 checksum:   934246 c00972ae586cfd8a4475a932a35ca04a
    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_mipsel.deb
      Size/MD5 checksum:   470648 6271291263bfbfb4e14733d02c560fa0

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_powerpc.deb
      Size/MD5 checksum:   451604 b9459ac7c9554f0276bef06762257785
    http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_powerpc.deb
      Size/MD5 checksum:   851852 85e204bc94b1a0bb2fd02c0d4717400a

  s390 architecture (IBM S/390)

    http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_s390.deb
      Size/MD5 checksum:   797738 101ec9c552bcf99618a08abb07209406
    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_s390.deb
      Size/MD5 checksum:   387006 3ba683f9d05c411897432aee90566024

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_sparc.deb
      Size/MD5 checksum:   408732 e4463b87c64a6d08863c470e757a6dd2
    http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_sparc.deb
      Size/MD5 checksum:   839566 b42c13cdc206437eb3a5353d86e34201

  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE909c5bgOPXuCjg3cRAqjYAJwIr0RACSJUzhbWhS5tyDls4H0TqQCdHQNS
1Jr9O6UgS5W0S6oXCCp5Ulc=
=ju51
-----END PGP SIGNATURE-----


  Nav
» Read more about: Story Type: Security; Groups: Debian

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.