URGENT, PLEASE READ: 9.4.2-P1 now available

Abdelkarim D abdelkarimd at hotmail.com
Wed Jul 9 08:12:16 UTC 2008 

Please remove my email from this list
 
Regards
 
> Date: Tue, 8 Jul 2008 18:38:24 +0000> From: Evan_Hunt at isc.org> To: bind-announce at isc.org> Subject: URGENT, PLEASE READ: 9.4.2-P1 now available> > BIND 9.4.2-P1 is now available.> > BIND 9.4.2-P1 is a SECURITY release of BIND 9.4.> > URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT> URGENT URGENT > URGENT THIS ANNOUNCEMENT REFERS TO AN ISSUE THAT MAY AFFECT THE URGENT > URGENT INTEGRITY OF YOUR RECURSIVE DNS SERVICE URGENT > URGENT URGENT > URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT URGENT> > Thanks to recent work by Dan Kaminsky of IOActive, ISC has become> aware of a potential attack exploiting weaknesses in the DNS protocol> itself to enable the poisoning of caching recurive resolvers with> spoofed data.> > For additional information about this vulnerability, see US-CERT> (CERT VU#800113 DNS Cache Poisoning Issue). For more details on> changes to BIND, see http://www.isc.org/sw/bind/forgery-resilience.php.> > IF YOU ARE RUNNING BIND AS A CACHING RESOLVER YOU NEED TO TAKE ACTION.> > DNSSEC is the only definitive solution for this issue. Understanding> that immediate DNSSEC deployment is not a realistic expectation, ISC> is releasing patched versions of BIND that improve its resilience> against this attack. The method used makes it harder to spoof answers> to a resolver by expanding the range of UDP ports from which queries> are sent by the nameserver, thereby increasing the variability of> parameters in outgoing queries.> > The code implementing the improved defenses against spoofing attacks> is the only change between this release and the underlying version> (9.4.2).> > The patch will have a noticeable impact on the performance of BIND> caching resolvers with query rates at or above 10,000 queries per> second. If performance at this level is critical for you, please> refer to the new beta releases of BIND (9.5.1b1 or 9.4.3b2; see> separate announcements).> > YOU ARE ADVISED TO INSTALL EITHER THIS SECURITY PATCH OR ONE OF THE> BETA RELEASES (9.5.1b1 or 9.4.3b2), IMMEDIATELY.> > BIND 9.4.2-P1 can be downloaded from> > ftp://ftp.isc.org/isc/bind9/9.4.2-P1/bind-9.4.2-P1.tar.gz> > The PGP signature of the distribution is at> > ftp://ftp.isc.org/isc/bind9/9.4.2-P1/bind-9.4.2-P1.tar.gz.asc> ftp://ftp.isc.org/isc/bind9/9.4.2-P1/bind-9.4.2-P1.tar.gz.sha256.asc> ftp://ftp.isc.org/isc/bind9/9.4.2-P1/bind-9.4.2-P1.tar.gz.sha512.asc> > The signature was generated with the ISC public key, which is> available at <http://www.isc.org/about/openpgp/pgpkey2006.txt>.> > A binary kit for Windows 2000, Windows XP and Window 2003 is at> > ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.zip> ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.debug.zip> > The PGP signature of the binary kit for Windows 2000, Windows XP and> Window 2003 is at> > ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.zip.asc> ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.zip.sha256.asc> ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.zip.sha512.asc> ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.debug.zip.asc> ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.debug.zip.sha256.asc> ftp://ftp.isc.org/isc/bind9/9.4.2-P1/BIND9.4.2-P1.debug.zip.sha512.asc> > Changes since 9.4.2:> > --- 9.4.2-P1 released ---> > 2375. [security] Fully randomize UDP query ports to improve> forgery resilience. [RT #17949]> > > -- > Evan Hunt -- evan_hunt at isc.org> Internet Systems Consortium, Inc.> > 
_________________________________________________________________
Mettez Messenger sur votre mobile !
http://www.messengersurvotremobile.com

More information about the bind-users mailing list