Date: Thu, 14 Nov 2002 15:37:19 -0200
From: secure@conectiva.com.br
To: conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net,
Subject: [CLA-2002:546] Conectiva Linux Security Announcement - bind
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : bind
SUMMARY : Remote vulnerabilities in the BIND DNS server
DATE : 2002-11-14 15:36:00
ID : CLA-2002:546
RELEVANT
RELEASES : 6.0
- -------------------------------------------------------------------------
DESCRIPTION
"bind" is probably the most used DNS server on the internet.
ISS reported[7] buffer overflow and denial of service vulnerabilities
in some versions of the BIND software. The most dangerous one, the
buffer overflow, could be used by remote attacker to execute
arbitrary code on the server with the privileges of the user running
the "named" process.
The vulnerabilities explained below affect BIND as shipped with
Conectiva Linux 6.0. Conectiva Linux 7.0 and 8 already ship BIND 9.x,
which is not vulnerable to the problems reported by ISS.
1) Buffer overflow (CAN-2002-1219) [5]
An attacker who can make a vulnerable BIND server make recursive
queries to a domain that he (the attacker) controls can exploit this
vulnerability and execute arbitrary code on the server with the same
privileges as the "named" process. The BIND packages in Conectiva
Linux run the "named" process with an unprivileged user, and not
root, which mitigates the impact of this vulnerability somewhat,
requiring that the attacker take further steps to obtain root access.
Additionally, there is the bind-chroot package which, if used, runs
the server in a chroot area under /var/named which imposes an
additional restriction on the actions a potential intruder can take.
2) Denial of service (CAN-2002-1221) [6]
The BIND server can be triggered into attempting a NULL pointer
dereference which will terminate the service. This can be caused by a
remote attacker who controls a DNS server authoritative for some
domain queried by the vulnerable BIND server.
The packages available through this advisory were built with patches
that were made publicly available[3] by ISC less than 24 hours ago.
Conectiva Linux and the majority of other GNU/Linux distributions
were notified about this vulnerability (but with not enough details
to produce a patch) about 12 hours before ISS made it public[7]. We
are worried about the way in which this whole incident has been
handled, specially when considering that DNS is part of the internet
infrastructure and thus a vital service.
We, and many vendors, do believe in what is commonly called
"responsible full disclosure"[8], where all details about a
vulnerability are made public after all vendors were notified in
advance and have had a reasonable amount of time to prepare and test
updated packages. We believe this to be the most secure and
responsible method for disclosing vulnerabilities.
SOLUTION
All BIND users should upgrade immediately. After the upgrade, the
named service will be automatically restarted if needed.
If it is not possible to upgrade the packages immediately, users
should disable recursive queries or restrict them. Disabling
recursive queries can be done by the "recursion no;" parameter in the
options section of the named.conf configuration file. Restricting
access to such queries can be accomplished via the "allow-recursion"
directive in the same configuration file.
REFERENCES
1.http://www.isc.org/
2.http://www.cert.org/advisories/CA-2002-31.html
3.http://www.isc.org/products/BIND/patches/bind826.diff
4.http://www.isc.org/products/BIND/bind-security.html
5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1219
6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1221
7.https://gtoc.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469
8.http://distro.conectiva.com.br/seguranca/problemas/?idioma=en
DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/bind-8.2.6-1U60_2cl.src.rpmftp://atualizacoes.conectiva.com.br/6.0/SRPMS/bind-chroot-8.2.6-1U60_2cl.src.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-8.2.6-1U60_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-chroot-8.2.6-1U60_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-8.2.6-1U60_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-devel-static-8.2.6-1U60_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-doc-8.2.6-1U60_2cl.i386.rpmftp://atualizacoes.conectiva.com.br/6.0/RPMS/bind-utils-8.2.6-1U60_2cl.i386.rpm
ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):
rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
(replace 6.0 with the correct version number if you are not running CL6.0)
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9099O42jd0JmAcZARAiZGAKDMz0e8eiF+0Zws8sQkvkE5NcHKywCg24tc
ixMwRpolJ8skSz3KyrLfVjM=
=Smdc
-----END PGP SIGNATURE-----
