------------------------------------------------------------ Arch Linux Security Warning ALSW 2007-#35 ------------------------------------------------------------
Name: bind Date: 2007-07-28 Severity: High Warning #: 2007-#35 ------------------------------------------------------------ Product Background =================== BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System Problem Background =================== ISC has discovered or has been notified of several bugs which can result in vulnerabilities of varying levels of severity in BIND as distributed by ISC. Impact ================== [1]The default access control lists (acls) are not being correctly set. If not set anyone can make recursive queries and/or query the cache contents. [2]The DNS query id generation is vulnerable to cryptographic analysis which provides a 1 in 8 chance of guessing the next query id for 50% of the query ids. This can be used to perform cache poisoning by an attacker. This bug only affects outgoing queries, generated by BIND 9 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFYs to slave name servers. Problem Packages =================== Package: bind Repo: current Group: daemon Unsafe: < 9.4.1-P1 Safe: >= 9.4.1-P1 Package Fix =================== Upgrade to 9.4.1-P1 --------------------------------------------- Unofficial ArchLinux Security Bug Tracker: http://jjdanimoth.netsons.org/alsw.html --------------------------------------------- Reference(s) =================== [1]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925 [2]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
pgp1kEgRxfRzP.pgp
Description: PGP signature
_______________________________________________ arch mailing list [email protected] http://archlinux.org/mailman/listinfo/arch
