Resolver library question
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Thu Sep 5 05:40:38 UTC 2002
>
> On Solaris 2.6 I am running BIND 9.1.3, compiled with gcc (2.7.x I
> think, but not sure) using the provided BIND make files. Recently CERT
> published a vulnerability in the resolver library that Solaris uses.
> Question: Is our BIND vulnerable, and if so, is it using the libraries
> provided with Solaris or something that came with gcc? I'm trying to
> understand whether or not applying the Solaris patch will fix the
> vulnerability on my systems. And if not, exactly what I have to do to
> fix it.
>
> Thanks,
> Chuck Sterling
Did you bother to read the advisary? It answers your questions.
Mark
All versions of BIND 4 from 4.8.1 prior to BIND 4.9.9 are vulnerable.
All versions of BIND 8 prior to BIND 8.2.6 are vulnerable.
All versions of BIND 8.3.x prior to BIND 8.3.3 are vulnerable.
BIND versions BIND 9.2.0 and BIND 9.2.1 are vulnerable.
The status of BIND 4.8 is unknown, assume that it is vulnerable.
BIND versions BIND 9.0.x and BIND 9.1.x are not vulnerable.
'named' itself is not vulnerable.
Updated releases can be found at:
ftp://ftp.isc.org/isc/bind/src/4.9.9/
ftp://ftp.isc.org/isc/bind/src/8.2.6/
ftp://ftp.isc.org/isc/bind/src/8.3.3/
ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.3.3/
BIND 9 contains a copy of the BIND 8.3.x resolver library (lib/bind).
This will be updated with the next BIND 9 releases (9.2.2/9.3.0)
in the meantime please use the original in BIND 8.3.3.
Vendors wishing additional patches should contact bind-bugs at isc.org.
Query about BIND 4 and BIND 8 should be addressed to bind-bugs at isc.org.
Query about BIND 9 should be addressed to bind9-bugs at isc.org.
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list