ISC BIND 9.4.3-P5 is now available
Evan Hunt
each at isc.org
Tue Jan 19 17:27:30 UTC 2010
BIND 9.4.3-P5 is now available.
BIND 9.4.3-P5 is a SECURITY PATCH for BIND 9.4.3. It addresses two
potential cache poisoning vulnerabilities, both of which could allow
a validating recursive nameserver to cache data which had not been
authenticated or was invalid.
Bugs should be reported to bind9-bugs at isc.org.
CVE identifiers: CVE-2009-4022, CVE-2010-0097
CERT advisories: VU#418861, VU#360341.
Information about these vulnerabilities can be found at:
https://www.isc.org/advisories/CVE-2009-4022v6
https://www.isc.org/advisories/CVE-2010-0097
BIND 9.4.3-P5 can be downloaded from:
ftp://ftp.isc.org/isc/bind9/9.4.3-P5/bind-9.4.3-P5.tar.gz
PGP signatures of the distribution are at:
ftp://ftp.isc.org/isc/bind9/9.4.3-P5/bind-9.4.3-P5.tar.gz.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P5/bind-9.4.3-P5.tar.gz.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P5/bind-9.4.3-P5.tar.gz.sha512.asc
The signatures were generated with the ISC public key, which is
available at https://www.isc.org/about/openpgp
A binary kit for Windows XP, Windows 2003 and Windows 2008 is at:
ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.zip
ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.debug.zip
PGP signatures of the binary kit are at:
ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.zip.sha512.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.debug.zip.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.debug.zip.sha256.asc
ftp://ftp.isc.org/isc/bind9/9.4.3-P5/BIND9.4.3-P5.debug.zip.sha512.asc
Changes since 9.4.3-P4:
2831. [security] Do not attempt to validate or cache
out-of-bailiwick data returned with a secure
answer; it must be re-fetched from its original
source and validated in that context. [RT #20819]
2828. [security] Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]
2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list