What Are You Looking For?

Sign Up
Date:         Wed, 20 Jan 2010 13:25:21 -0600
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA Moderate: bind on SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Moderate: bind security update
Issue date:	2010-01-20
CVE Names:	CVE-2010-0097 CVE-2010-0290

CVE-2010-0097 BIND DNSSEC NSEC/NSEC3 validation code could cause bogus 
NXDOMAIN responses
CVE-2010-0290 BIND upstream fix for CVE-2009-4022 is incomplete

A flaw was found in the BIND DNSSEC NSEC/NSEC3 validation code. If BIND 
was running as a DNSSEC-validating resolver, it could incorrectly cache
NXDOMAIN responses, as if they were valid, for records proven by NSEC or
NSEC3 to exist. A remote attacker could use this flaw to cause a BIND
server to return the bogus, cached NXDOMAIN responses for valid records 
and prevent users from retrieving those records (denial of service).
(CVE-2010-0097)

The original fix for CVE-2009-4022 was found to be incomplete. BIND was
incorrectly caching certain responses without performing proper DNSSEC
validation. CNAME and DNAME records could be cached, without proper 
DNSSEC validation, when received from processing recursive client 
queries that requested DNSSEC records but indicated that checking should 
be disabled. A remote attacker could use this flaw to bypass the DNSSEC 
validation check and perform a cache poisoning attack if the target BIND 
server was receiving such client queries. (CVE-2010-0290)

After installing the update, the BIND daemon (named) will be restarted 
automatically.

SL 5.x

     SRPMS:
bind-9.3.6-4.P1.el5_4.2.src.rpm
     i386:
bind-9.3.6-4.P1.el5_4.2.i386.rpm
bind-chroot-9.3.6-4.P1.el5_4.2.i386.rpm
bind-devel-9.3.6-4.P1.el5_4.2.i386.rpm
bind-libbind-devel-9.3.6-4.P1.el5_4.2.i386.rpm
bind-libs-9.3.6-4.P1.el5_4.2.i386.rpm
bind-sdb-9.3.6-4.P1.el5_4.2.i386.rpm
bind-utils-9.3.6-4.P1.el5_4.2.i386.rpm
caching-nameserver-9.3.6-4.P1.el5_4.2.i386.rpm
     x86_64:
bind-9.3.6-4.P1.el5_4.2.x86_64.rpm
bind-chroot-9.3.6-4.P1.el5_4.2.x86_64.rpm
bind-devel-9.3.6-4.P1.el5_4.2.i386.rpm
bind-devel-9.3.6-4.P1.el5_4.2.x86_64.rpm
bind-libbind-devel-9.3.6-4.P1.el5_4.2.i386.rpm
bind-libbind-devel-9.3.6-4.P1.el5_4.2.x86_64.rpm
bind-libs-9.3.6-4.P1.el5_4.2.i386.rpm
bind-libs-9.3.6-4.P1.el5_4.2.x86_64.rpm
bind-sdb-9.3.6-4.P1.el5_4.2.x86_64.rpm
bind-utils-9.3.6-4.P1.el5_4.2.x86_64.rpm
caching-nameserver-9.3.6-4.P1.el5_4.2.x86_64.rpm

-Connie Sieh
-Troy Dawson

SciLinux: CVE-2010-0097 Moderate: bind SL5.x i386/x86_64

Moderate: bind security update

Summary

CVE-2010-0290 BIND upstream fix for CVE-2009-4022 is incompleteA flaw was found in the BIND DNSSEC NSEC/NSEC3 validation code. If BINDwas running as a DNSSEC-validating resolver, it could incorrectly cacheNXDOMAIN responses, as if they were valid, for records proven by NSEC orNSEC3 to exist. A remote attacker could use this flaw to cause a BINDserver to return the bogus, cached NXDOMAIN responses for valid recordsand prevent users from retrieving those records (denial of service).(CVE-2010-0097)The original fix for CVE-2009-4022 was found to be incomplete. BIND wasincorrectly caching certain responses without performing proper DNSSECvalidation. CNAME and DNAME records could be cached, without properDNSSEC validation, when received from processing recursive clientqueries that requested DNSSEC records but indicated that checking shouldbe disabled. A remote attacker could use this flaw to bypass the DNSSECvalidation check and perform a cache poisoning attack if the target BINDserver was receiving such client queries. (CVE-2010-0290)After installing the update, the BIND daemon (named) will be restartedautomatically.SL 5.xSRPMS:bind-9.3.6-4.P1.el5_4.2.src.rpmi386:bind-9.3.6-4.P1.el5_4.2.i386.rpmbind-chroot-9.3.6-4.P1.el5_4.2.i386.rpmbind-devel-9.3.6-4.P1.el5_4.2.i386.rpmbind-libbind-devel-9.3.6-4.P1.el5_4.2.i386.rpmbind-libs-9.3.6-4.P1.el5_4.2.i386.rpmbind-sdb-9.3.6-4.P1.el5_4.2.i386.rpmbind-utils-9.3.6-4.P1.el5_4.2.i386.rpmcaching-nameserver-9.3.6-4.P1.el5_4.2.i386.rpmx86_64:bind-9.3.6-4.P1.el5_4.2.x86_64.rpmbind-chroot-9.3.6-4.P1.el5_4.2.x86_64.rpmbind-devel-9.3.6-4.P1.el5_4.2.i386.rpmbind-devel-9.3.6-4.P1.el5_4.2.x86_64.rpmbind-libbind-devel-9.3.6-4.P1.el5_4.2.i386.rpmbind-libbind-devel-9.3.6-4.P1.el5_4.2.x86_64.rpmbind-libs-9.3.6-4.P1.el5_4.2.i386.rpmbind-libs-9.3.6-4.P1.el5_4.2.x86_64.rpmbind-sdb-9.3.6-4.P1.el5_4.2.x86_64.rpmbind-utils-9.3.6-4.P1.el5_4.2.x86_64.rpmcaching-nameserver-9.3.6-4.P1.el5_4.2.x86_64.rpm-Connie Sieh-Troy Dawson



Security Fixes

Severity
Issued Date: : 2010-01-20
CVE Names: CVE-2010-0097 CVE-2010-0290
CVE-2010-0097 BIND DNSSEC NSEC/NSEC3 validation code could cause bogus
NXDOMAIN responses

Related News

From Heartbleed to Now: Evolving Threats in OpenSSL and How to Guard Against Them

Nov 17, 2023

Security Highlights from KubeCon + CloudNativeCon 2023

Nov 18, 2023

Kubernetes Security on AWS: A Practical Guide

Nov 18, 2023

Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits

Nov 25, 2023

News

Advisories

HOWTOs

Features

A Complete Guide to Torrenting Safely in 2024
Cloud Security Basics for Small Businesses
Scanning and Defending Networks with Nmap
CISA Issues Urgent Warning Over Active Exploitation of Looney Tunables glibc Bug
Cyber Law in the Realm of Open-Source Software Security

About Us

Powered By

Footer Logo