Newest Bind Vulnerabilities.

Joseph S D Yao jsdy at center.osis.gov
Wed Jul 3 17:23:28 UTC 2002 

On Wed, Jul 03, 2002 at 10:56:43AM -0600, Vasiliy Boulytchev wrote:
> Ladies and Gents,
> I'm running Bind version 9.2.1.  The latest vulnerability that touched the DNS resolver libraries..... does it apply to me or anyone else out there?

Apparently so.  From your own note, quoting the warning that I hope we
all have already seen:
[my text continued below]

> Internet Software Consortium
>   All versions of BIND 4 from 4.8.1 prior to BIND 4.9.9 are vulnerable.
>   All versions of BIND 8 prior to BIND 8.2.6 are vulnerable.
>   All versions of BIND 8.3.x prior to BIND 8.3.3 are vulnerable.
>   BIND versions BIND 9.2.0 and BIND 9.2.1 are vulnerable.
> 
>   The status of BIND 4.8 is unknown, assume that it is vulnerable.

HOWEVER!

>   BIND versions BIND 9.0.x and BIND 9.1.x are not vulnerable.
> 
>   'named' itself is not vulnerable.

The vulnerability is said to be ONLY in the resolver libraries.  If you
have not re-compiled anything with a resolver library in the above
ranges, or installed one of those resolver libraries as a shared
library to be used by your system by default, then you have not added
any new vulnerabilities.  [But do you know with which resolver library
your base system was running?]

ISC continues:

>   Updated releases can be found at: 
> 
>     ftp://ftp.isc.org/isc/bind/src/4.9.9/ 
>     ftp://ftp.isc.org/isc/bind/src/8.2.6/ 
>     ftp://ftp.isc.org/isc/bind/src/8.3.3/ 
>     ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.3.3/ 
> 
>   BIND 9 contains a copy of the BIND 8.3.x resolver library (lib/bind). This will be updated with the next BIND 9 releases (9.2.2/9.3.0) in the meantime please use the original in BIND 8.3.3.
> 
>   In addition the BIND 9 'named' can be used to prevent malformed answers reaching vulnerable clients.
> 
>   Vendors wishing additional patches should contact bind-bugs at isc.org.
>   Query about BIND 4 and BIND 8 should be addressed to bind-bugs at isc.org.
>   Query about BIND 9 should be addressed to bind9-bugs at isc.org. 

-- 
Joe Yao				jsdy at center.osis.gov - Joseph S. D. Yao
OSIS Center Systems Support					EMT-B
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.

More information about the bind-users mailing list