Package: bind9 Version: 1:9.5.0.dfsg.P2-5.1 Severity: wishlist Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu jaunty ubuntu-patch
*** /tmp/tmpN4PvmS In Ubuntu, we've applied the attached patch to achieve the following: * SECURITY UPDATE: clients treat malformed signatures as good when verifying server DSA and ECDSA certificates. - update lib/dns/openssldsa_link.c to properly check the return code of DSA_do_verify() - CVE-2009-0025 We thought you might be interested in doing the same. -- System Information: Debian Release: lenny/sid APT prefers hardy-updates APT policy: (500, 'hardy-updates'), (500, 'hardy-security'), (500, 'hardy-proposed'), (500, 'hardy') Architecture: i386 (i686) Kernel: Linux 2.6.24-16-generic (SMP w/2 CPU cores) Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- bind9-9.5.0.dfsg.P2.orig/lib/dns/openssldsa_link.c +++ bind9-9.5.0.dfsg.P2/lib/dns/openssldsa_link.c @@ -146,7 +146,7 @@ status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa); DSA_SIG_free(dsasig); - if (status == 0) + if (status <= 0) return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); return (ISC_R_SUCCESS);