GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Mon Mar 09, 2009 5:26 pm Post subject: [ GLSA 200903-14 ] BIND: Incorrect signature verification |
|
|
Gentoo Linux Security Advisory
Title: BIND: Incorrect signature verification (GLSA 200903-14)
Severity: normal
Exploitable: remote
Date: March 09, 2009
Bug(s): #254134, #257949
ID: 200903-14
Synopsis
Incomplete verification of RSA and DSA certificates might lead to spoofed
records authenticated using DNSSEC.
Background
ISC BIND is the Internet Systems Consortium implementation of the
Domain Name System (DNS) protocol.
Affected Packages
Package: net-dns/bind
Vulnerable: < 9.4.3_p1
Unaffected: >= 9.4.3_p1
Architectures: All supported architectures
Description
BIND does not properly check the return value from the OpenSSL
functions to verify DSA (CVE-2009-0025) and RSA (CVE-2009-0265)
certificates.
Impact
A remote attacker could bypass validation of the certificate chain to
spoof DNSSEC-authenticated records.
Workaround
There is no known workaround at this time.
Resolution
All BIND users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-dns/bind-9.4.3_p1" |
References
CVE-2009-0025
CVE-2009-0265
Last edited by GLSA on Fri Jul 18, 2014 4:27 am; edited 2 times in total |
|