Stay Ahead With Linux Security News

security advisorysoftware updatesecurity fix

BIND 8.4.3 Security Advisory: Mitigating Cache Poisoning Risks

BIND 8.4.3 is a maintenance release of BIND 8.4. It includes the BIND 8.4.2 release which includes a security fix (also released as BIND 8.3.7). EnGarde has updates available; other vendors expected to follow shortly. It is not yet known if this impacts BIND-9; updates to follow. . . .. BIND 8.4.3 is a maintenance release of BIND 8.4. It includes the BIND 8.4.2 release which includes a security fix (also released as BIND 8.3.7). EnGarde has updates available; other vendors expected to follow shortly. It is not yet known if this impacts BIND-9; updates to follow. Subject: BIND 8.4.3 Release (8.4.3-REL) Date: 2003-11-26 23:00:59 BIND 8.4.3 Release (8.4.3-REL) BIND 8.4.3 is a maintenance release of BIND 8.4. It includes the BIND 8.4.2 release which includes a security fix (also released as BIND 8.3.7). Highlights. Maintenance Release. Highlights (8.4.2) Security Fix: Negative Cache Poison Fix. the distribution files are: Ftp://ftp.isc.org/isc/bind/src/8.4.3/bind-doc.tar.gz the pgp signature files are: .asc the md5 checksums are: MD5 (bind-contrib.tar.gz) = 454f8e3caf1610941a656fcc17e1ecec MD5 (bind-contrib.tar.gz.asc) = f8f0a5b8985a8180e5bd02207f319980 MD5 (bind-doc.tar.gz) = fcfdaaa2fc7d6485b0e3d08299948bd3 MD5 (bind-doc.tar.gz.asc) = fc0671468c2e3a1e5ff817b69da21a6b MD5 (bind-src.tar.gz) = e78610fc1663cfe8c2db6a2d132d902b MD5 (bind-src.tar.gz.asc) = 40453b40819fd940ad4bfabd26425619 Windows NT / Windows 2000 binary distribution. the md5 checksums are: MD5 (readme1st.txt) = ac4ce260f151dc1ab393c145f4288bba MD5 (BIND8.4.3.zip) = 7c3e333f90edbe3820952a62ff6ffdf3 MD5 (BIND8.4.3.zip.asc) = f2190cc390ce584c0cc624835bdcc8eb MD5 (readme1sttools.txt) = eef4c5782be1a1faac3ca0c756eaef05 MD5 (BIND8.4.3Tools.zip) = 8cb29c092394dfa430ef9ea47b6a02ea MD5 (BIND8.4.3Tools.zip.asc) = a77b2adb1f23db780f45efee32a92882 top of CHANGES says: --- 8.4.3 released --- (Mon Nov 24 17:27:52 PST 2003) 1617. [cleanup] don't pre-fetchmissing additional address records if we have one of A/AAAA. 1616. [func] turn on "preferred-glue A;" (if not specified in named.conf) if the answer space is a standard UDP message size or smaller. 1615. [func] when query logging log whether TSIG (T) and/or EDNS (E) was used to make the query. 1614. [cleanup] on dual (IPv4+IPv6) stack servers delay the lookup of missing glue if we have glue for one family. 1613. [cleanup] notify: don't lookup A/AAAA records for nameservers if we don't support the address at the transport level. 1612. [func] named now takes arguements -4 and -6 to limit the IP transport used for making queries. 1611. [debug] better packet tracing in debug output (+ some lint). 1610. [bug] don't explictly declare errno use . 1609. [bug] drop_port() was being called with ports in network order rather than host order. 1608. [port] sun: force alignment of answer in dig.c. 1607. [bug] do not attempt to prime cache when recursion and fetch-glue are disabled. 1606. [bug] sysquery duplicate detection was broken when using forwarders. 1605. [port] sun: force alignment of newmsg in ns_resp.c. 1604. [bug] heap_delete() sometimes violated the heap invariant, causing timer events not to be posted when due. 1603. [port] ds_remove_gen() mishandled removal IPv6 interfaces. 1602. [port] linux: work around a non-standard __P macro. 1601. [bug] dig could report the wrong server address on transfers. 1600. [bug] debug_freestr() prototype mismatch. 1599. [bug] res_nsearch() save statp-> res_h_errno instead of h_errno. 1598. [bug] dprint_ip_match_list() fails to print the mask correctly. 1597. [bug] use the actual presentation length of the IP address to determine if sprintf() is safe in write_tsig_info(). --- 8.4.2 released --- (Thu Sep 4 06:58:22 PDT 2003) 1596. [port] winnt: set USELOOPBACK in port_after.h 1595. [bug] dig: strcat used instead of strcpy. 1594. [bug] if only a single nameserver was listed in resolv.conf IPv6 default server was also being used. 1593. [port] irix: update port/irix/irix_patch. 1592. [port] irix: provide a sysctl() based getifaddrs() implementation. 1591. [port] irix: sa_len is a macro. 1590. [port] irix: doesn't have msg_control (NO_MSG_CONTROL) 1589. [port] linux: uninitalised variable. 1588. [port] solaris: provide ALIGN. 1587. [port] NGR_R_END_RESULT was not correct for some ports. 1586. [port] winnt: revert to old socket behaviour for UDP sockets (Windows 2000 SP2 and later). 1585. [port] solaris: named-xfer needs . 1584. [port] bsdos: explictly include for 4.0 and 4.1. 1583. [bug] add -X to named-xfer usage message. 1582. [bug] ns_ownercontext() failed to set the correct owner context for AAAA records. ns_ptrcontext() failed to return the correct context for IP6.ARPA. 1581. [bug] apply anti-cache poison techniques to negative answers. 1580. [bug] inet_net_pton() didn't fully handle implicit multicast IPv4 network addresses. 1579. [bug] ifa_addr can be NULL. 1578. [bug] named-xfer: wrong arguement passed to getnameinfo(). 1577. [func] return referrals for glue (NS/A/AAAA) if recursion is not desired (hp-> rd = 0). 1576. [bug] res_nsendsigned() incorrectly printed the truncated UDP response when RES_IGNTC was not set. 1575. [bug] tcp_send() passed the wrong length to evConnect(). 1574. [bug] res_nsendsigned() failed to handle truncation cleanly. 1573. [bug] tsig_size was not being copied by ns_forw(). 1572. [port] bsdos: missing #include . 1571. [bug] AA was sometimes incorrectly set. 1570. [port] decunix: change #1544 broke OSF1 3.2C. 1569. [bug] remove extraneous closes. 1568. [cleanup] reduce the memory footprint for large numbers of zones. 1567. [port] winnt: install MSVC70.DLL and MFC70.DLL. 1566. [bug] named failed to locate keys declared in masters clause. 1565. [bug] named-xfer was failing to use TSIG. 1564. [port] linux: allow static linkage to work. 1563. [bug] ndc getargs_closure failed to NUL terminate strings. 1562. [bug] handle non-responsive servers better. 1561. [bug] rtt estimates were not being updated for IPv6 addresses. 1560. [port] linux: add runtime support to handle old kernels that don't know about msg_control. 1559. [port] named, named-xfer: ensure that stdin, stdout and stderr are open. --- 8.4.1-P1 released --- (Sun Jun 15 17:35:10 PDT 2003) 1558. [port] sunos4 doesn't have msg_control (NO_MSG_CONTROL). 1557. [port] linux: socket returns EINVAL for unsupported family. 1556. [bug] reference through NULL pointer. 1555. [bug] sortlist wasn't being applied to AAAA queries. 1554. [bug] IPv4 access list elements of the form number/number (e.g. 127/8) were not correctly defined. 1553. [bug] getifaddrs*() failed to set ifa_dstaddr for point to point links (overwrote ifa_addr). 1552. [bug] buffer overruns in getifaddrs*() if the server has point to point links. 1551. [port] freebsd: USE_IFNAMELINKIDS should be conditionally defined. 1550. [port] TruCluster support didn't build. 1549. [port] Solaris 9 has /dev/random. --- 8.4.1-REL released --- (Sun Jun 8 15:11:32 PDT 2003) 1548. [port] winnt: make recv visible from libbind. 1547. [port] cope with spurious EINVAL from evRead. 1546. [cleanup] dig now reports version 8.4. 1545. [bug] getifaddrs_sun6 was broken. 1544. [port] hpux 10.20 has a broken recvfrom(). Revert to recv() in named-xfer and work around deprecated recv() in OSF. 1543. [bug] named failed to send notifies to servers that live in zones it was authoritative for. 1542. [bug] set IPV6_USE_MIN_MTU on IPv6 sockets if the kernel supports it. 1541. [bug] getifaddrs_sun6() should be a no-op on early SunOS releases. --- 8.4.0-REL released --- (Sun Jun 1 17:49:31 PDT 2003) . BIND version 8.4.3 is a vital update that enhances maintenance, specifically targeting vulnerabilities with new security patches to combat cache poisoning threats. BIND Security, Cache Poisoning, EnGarde Updates. . LinuxSecurity.com Team

Nov 26, 2003 • LinuxSecurity.com Team Server Security