-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1963-1                  security@debian.org
http://www.debian.org/security/                           Florian Weimer
December 23, 2009                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : unbound
Vulnerability  : cryptographic implementation error
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2009-3602

It was discovered that Unbound, a DNS resolver, does not properly
check cryptographic signatures on NSEC3 records.  As a result, zones
signed with the NSEC3 variant of DNSSEC lose their cryptographic
protection.  (An attacker would still have to carry out an ordinary
cache poisoning attack to add bad data to the cache.)

The old stable distribution (etch) does not contain an unbound
package.

For the stable distribution (lenny), this problem has been fixed in
version 1.0.2-1+lenny1.

For the unstable distribution (sid) and the testing distribution
(squeeze), this problem has been fixed in version 1.3.4-1.

We recommend that you upgrade your unbound package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

      Size/MD5 checksum:  3597275 01b08a9c0d24be981de64b6e4e25ecbe
      Size/MD5 checksum:    11066 b003007bc954f8877791de9e22c3c146
      Size/MD5 checksum:     1436 9e83801b9223c4ac8535243f880044a8

alpha architecture (DEC Alpha)

      Size/MD5 checksum:   320244 9482874b056753f0082025d8735643f5
      Size/MD5 checksum:    12738 034c9f659508551082c0411307b9c502
      Size/MD5 checksum:   215888 4cd1a8ae7cfb61d917b99267746f1877
      Size/MD5 checksum:   381560 d89de99e20d73980efb5031fe70f06ff

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:   200256 a7c7cd577f7271a63abac791dbf1469b
      Size/MD5 checksum:   358126 86bab87ab0f5d5cdb94057dc9bc4ea2d
      Size/MD5 checksum:    12266 babd3fec31c85a5ff91080e44504a4cf
      Size/MD5 checksum:   235494 e7e814a39e5524c8e64134cdbfd4dce9

arm architecture (ARM)

      Size/MD5 checksum:    11892 139bd5b0186a6187c6a8283330bff6ae
      Size/MD5 checksum:   179624 44c9d6c40987ea1d02f70615f4bf1d6d
      Size/MD5 checksum:   210562 c81ae06d74c86ca42d85481065fa7133
      Size/MD5 checksum:   334640 f5693d14213e4118eec1b93d29e13e2f

armel architecture (ARM EABI)

      Size/MD5 checksum:   331972 00e1c301c73ea80752c6d2f93e3ac521
      Size/MD5 checksum:   178740 f39e019eee3b4c54380d9a065f9a2621
      Size/MD5 checksum:    11850 0726a83164dee4ee7abac8101249bf1a
      Size/MD5 checksum:   209640 904f538ef4d6c3b2ee199c255fd7bbc5

hppa architecture (HP PA RISC)

      Size/MD5 checksum:   207560 af33e156e79347ed6d7b791b4f257524
      Size/MD5 checksum:   260268 27d99bddc430f56a283897bbfbbbbafe
      Size/MD5 checksum:   377250 8887398b373794cdbe669c2ecf41ad39
      Size/MD5 checksum:    12810 d5686532a7612faaf4b1de58957bb7c4

i386 architecture (Intel ia32)

      Size/MD5 checksum:    11938 0431937c6253cedf452ddb0227f93cb2
      Size/MD5 checksum:   186228 9e1c7aa0b3b5c43435a0a3d402ddc062
      Size/MD5 checksum:   207836 933044378c345e44d57b95ae6aaebee5
      Size/MD5 checksum:   333658 777eb04b75e53b2eeeb83446cc91313c

ia64 architecture (Intel ia64)

      Size/MD5 checksum:   495470 2fbc1a857aab0008d3397f6cffe0d6e0
      Size/MD5 checksum:   336702 8b5bdaac3cfd2f6f932d2751b025a2af
      Size/MD5 checksum:    14356 d81133f39d102425ab8860751e50d5bd
      Size/MD5 checksum:   270068 2e6860fdf2c35adbd8d36bd671e2a6ac

mips architecture (MIPS (Big Endian))

      Size/MD5 checksum:   363468 e52ee62e28ec76119133aa85751cad82
      Size/MD5 checksum:   258186 d7a48e7895f10d5daae90756e1f992af
      Size/MD5 checksum:   184786 e8b44c5bf399601e7b361241d6e75ea4
      Size/MD5 checksum:    11994 fa14dcef4206f545162eadb5e5105966

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:   255822 c3c2c805745d627df87db1d042641445
      Size/MD5 checksum:    12040 993713e7f0fa831dd703ffd626e1d60e
      Size/MD5 checksum:   182534 1d279a306fb2a9e7f3de110c846104aa
      Size/MD5 checksum:   359236 3d3342777414135d94d26190da032d6c

powerpc architecture (PowerPC)

      Size/MD5 checksum:   359150 ffadb6a8602493bb90eae81cdc88506d
      Size/MD5 checksum:   240514 ac86e3a4653450b6e7b790484dec5eea
      Size/MD5 checksum:   207604 104ee743c6be3bde389386f9ee99ccf9
      Size/MD5 checksum:    14950 4ac8e2623b5f69213f52184a94927aca

s390 architecture (IBM S/390)

      Size/MD5 checksum:   375566 b4a618cde1434867d7d3f4c51b15588b
      Size/MD5 checksum:   207636 1af11fd95321e6a1e36c0217a6891b55
      Size/MD5 checksum:   233232 9d239915eab5a7ac94dc45c900225ae7
      Size/MD5 checksum:    12728 6245613210b76778257906493903c47b

sparc architecture (Sun SPARC/UltraSPARC)

      Size/MD5 checksum:   330738 12513df68b7e408cdad4863629d08ed4
      Size/MD5 checksum:   218752 25f95e3756644e92c950e0d8248ba541
      Size/MD5 checksum:   184136 4177a529c2c6fc422cbb74863390370b
      Size/MD5 checksum:    12356 4d4e6d0c96e7263372c233368cc4f69a


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp:  dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

Debian: DSA-1963-1: New unbound packages fix DNSSEC validation

December 23, 2009
It was discovered that Unbound, a DNS resolver, does not properly check cryptographic signatures on NSEC3 records

Summary

It was discovered that Unbound, a DNS resolver, does not properly
check cryptographic signatures on NSEC3 records. As a result, zones
signed with the NSEC3 variant of DNSSEC lose their cryptographic
protection. (An attacker would still have to carry out an ordinary
cache poisoning attack to add bad data to the cache.)

The old stable distribution (etch) does not contain an unbound
package.

For the stable distribution (lenny), this problem has been fixed in
version 1.0.2-1+lenny1.

For the unstable distribution (sid) and the testing distribution
(squeeze), this problem has been fixed in version 1.3.4-1.

We recommend that you upgrade your unbound package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny

Source archives:

Size/MD5 checksum: 3597275 01b08a9c0d24be981de64b6e4e25ecbe
Size/MD5 checksum: 11066 b003007bc954f8877791de9e22c3c146
Size/MD5 checksum: 1436 9e83801b9223c4ac8535243f880044a8

alpha architecture (DEC Alpha)

Size/MD5 checksum: 320244 9482874b056753f0082025d8735643f5
Size/MD5 checksum: 12738 034c9f659508551082c0411307b9c502
Size/MD5 checksum: 215888 4cd1a8ae7cfb61d917b99267746f1877
Size/MD5 checksum: 381560 d89de99e20d73980efb5031fe70f06ff

amd64 architecture (AMD x86_64 (AMD64))

Size/MD5 checksum: 200256 a7c7cd577f7271a63abac791dbf1469b
Size/MD5 checksum: 358126 86bab87ab0f5d5cdb94057dc9bc4ea2d
Size/MD5 checksum: 12266 babd3fec31c85a5ff91080e44504a4cf
Size/MD5 checksum: 235494 e7e814a39e5524c8e64134cdbfd4dce9

arm architecture (ARM)

Size/MD5 checksum: 11892 139bd5b0186a6187c6a8283330bff6ae
Size/MD5 checksum: 179624 44c9d6c40987ea1d02f70615f4bf1d6d
Size/MD5 checksum: 210562 c81ae06d74c86ca42d85481065fa7133
Size/MD5 checksum: 334640 f5693d14213e4118eec1b93d29e13e2f

armel architecture (ARM EABI)

Size/MD5 checksum: 331972 00e1c301c73ea80752c6d2f93e3ac521
Size/MD5 checksum: 178740 f39e019eee3b4c54380d9a065f9a2621
Size/MD5 checksum: 11850 0726a83164dee4ee7abac8101249bf1a
Size/MD5 checksum: 209640 904f538ef4d6c3b2ee199c255fd7bbc5

hppa architecture (HP PA RISC)

Size/MD5 checksum: 207560 af33e156e79347ed6d7b791b4f257524
Size/MD5 checksum: 260268 27d99bddc430f56a283897bbfbbbbafe
Size/MD5 checksum: 377250 8887398b373794cdbe669c2ecf41ad39
Size/MD5 checksum: 12810 d5686532a7612faaf4b1de58957bb7c4

i386 architecture (Intel ia32)

Size/MD5 checksum: 11938 0431937c6253cedf452ddb0227f93cb2
Size/MD5 checksum: 186228 9e1c7aa0b3b5c43435a0a3d402ddc062
Size/MD5 checksum: 207836 933044378c345e44d57b95ae6aaebee5
Size/MD5 checksum: 333658 777eb04b75e53b2eeeb83446cc91313c

ia64 architecture (Intel ia64)

Size/MD5 checksum: 495470 2fbc1a857aab0008d3397f6cffe0d6e0
Size/MD5 checksum: 336702 8b5bdaac3cfd2f6f932d2751b025a2af
Size/MD5 checksum: 14356 d81133f39d102425ab8860751e50d5bd
Size/MD5 checksum: 270068 2e6860fdf2c35adbd8d36bd671e2a6ac

mips architecture (MIPS (Big Endian))

Size/MD5 checksum: 363468 e52ee62e28ec76119133aa85751cad82
Size/MD5 checksum: 258186 d7a48e7895f10d5daae90756e1f992af
Size/MD5 checksum: 184786 e8b44c5bf399601e7b361241d6e75ea4
Size/MD5 checksum: 11994 fa14dcef4206f545162eadb5e5105966

mipsel architecture (MIPS (Little Endian))

Size/MD5 checksum: 255822 c3c2c805745d627df87db1d042641445
Size/MD5 checksum: 12040 993713e7f0fa831dd703ffd626e1d60e
Size/MD5 checksum: 182534 1d279a306fb2a9e7f3de110c846104aa
Size/MD5 checksum: 359236 3d3342777414135d94d26190da032d6c

powerpc architecture (PowerPC)

Size/MD5 checksum: 359150 ffadb6a8602493bb90eae81cdc88506d
Size/MD5 checksum: 240514 ac86e3a4653450b6e7b790484dec5eea
Size/MD5 checksum: 207604 104ee743c6be3bde389386f9ee99ccf9
Size/MD5 checksum: 14950 4ac8e2623b5f69213f52184a94927aca

s390 architecture (IBM S/390)

Size/MD5 checksum: 375566 b4a618cde1434867d7d3f4c51b15588b
Size/MD5 checksum: 207636 1af11fd95321e6a1e36c0217a6891b55
Size/MD5 checksum: 233232 9d239915eab5a7ac94dc45c900225ae7
Size/MD5 checksum: 12728 6245613210b76778257906493903c47b

sparc architecture (Sun SPARC/UltraSPARC)

Size/MD5 checksum: 330738 12513df68b7e408cdad4863629d08ed4
Size/MD5 checksum: 218752 25f95e3756644e92c950e0d8248ba541
Size/MD5 checksum: 184136 4177a529c2c6fc422cbb74863390370b
Size/MD5 checksum: 12356 4d4e6d0c96e7263372c233368cc4f69a


These files will probably be moved into the stable distribution on
its next update.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

Severity
Package : unbound
Vulnerability : cryptographic implementation error
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-3602

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved