-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security/ http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] OpenPKG-SA-2006.019 07-Sep-2006 ________________________________________________________________________ Package: bind Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= bind-9.3.2-20060825 >= bind-9.3.2-20060907 OpenPKG 2-STABLE <= bind-9.3.2-2.20060622 >= bind-9.3.2-2.20060907 OpenPKG 2.5-RELEASE <= bind-9.3.1-2.5.0 >= bind-9.3.1-2.5.1 Description: Two vulnerabilities were discovered in the DNS server BIND [0]: 1. SIG Query Processing [1][2][3]: On recursive servers queries for SIG records will trigger a assertion failure if more than one SIG (covered) RR set is returned. On authoritative servers, if a nameserver is serving a RFC 2535 DNSSEC zone and is queried for the SIG records where multiple SIG (covered) RRsets (e.g. a zone apex) exist, then BIND will trigger a assertion failure when it trys to construct the response. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2006-4095 [4] to the problem. 2. Excessive Recursive Queries INSIST failure [1][2][5]: It is possible to trigger an INSIST failure by sending enough recursive queries that the response to the query arrives after all the clients looking for the response have left the recursion queue. The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2006-4096 [6] to the problem. ________________________________________________________________________ References: [0] http://www.isc.org/sw/bind/ [1] http://www.isc.org/sw/bind/bind9.3.php#security [2] http://www.niscc.gov.uk/niscc/docs/re-20060905-00590.pdf?lang=en [3] http://www.kb.cert.org/vuls/id/915404 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4095 [5] http://www.kb.cert.org/vuls/id/697164 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4096 ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG <[EMAIL PROTECTED]> iD8DBQFE/794gHWT4GPEy58RAo0wAJsGu/E4cbPEvrM5sy+5OWJVorpspQCg0pAy l7e+/Gb7VPAlKUEuyh52nS0= =rrBf -----END PGP SIGNATURE-----
