Date: Thu, 07 Jan 2010 17:25:10 +0900 From: Uehata Keiji <uehata@firstserver.co.jp> To: freebsd-security@FreeBSD.org Subject: Re: ANNOUNCE: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:01.bind Message-ID: <20100107165933.96D1.1F47C451@firstserver.co.jp> In-Reply-To: <201001062254.o06Msord089040@freefall.freebsd.org> References: <201001062254.o06Msord089040@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
$B$*Hh$lMM$G$9!#>eH*!w5;=Q(BG$B$G$9!#(B Y$B%i%$%H!"$*$H$/%U%j!<%;%k$O(B dnssec-enable no;$B$GA4$FE}0l@_Dj$5$l$F$$$?0Y!"LdBj$"$j$^$;$s!#(B $B$^$?(B 9.3.0$B$+$i$O5-=R$,$J$$>l9g$G$b(Bdnssec-enable no$B$,%G%U%)%k%HCM$H$J$C$F$$$k(B $B$h$&$G$9!#(B $B0J>e$h$m$7$/$*4j$$$7$^$9!#(B --------------------------------------- $B%U%!!<%9%H%5!<%P3t<02q<R(B $B!!!!1?MQ5;=QIt!!5;=Q%0%k!<%W(B $B!!(B $B!!>eH*!!7=;K(B <Keiji Uehata> $B!!(Be-mail:uehata@firstserver.co.jp TEL $B!'(B050-3160-0763 / 06-6261-3332($BBeI=(B) FAX $B!'(B06-6125-1733 URL $B!'(Bhttp://www.fsv.jp/ http://www.firstserver.co.jp/ $B=;=j!'")(B541-0052 $BBg:e;TCf1{6h0BEZD.(B1$BCzL\(B8$BHV(B15$B9f(B $BLnB<ITF0;:Bg:e%S%k(B3F --------------------------------------- > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-10:01.bind Security Advisory > The FreeBSD Project > > Topic: BIND named(8) cache poisoning with DNSSEC validation > > Category: contrib > Module: bind > Announced: 2010-01-06 > Credits: Michael Sinatra > Affects: All supported versions of FreeBSD. > Corrected: 2009-12-11 01:23:58 UTC (RELENG_8, 8.0-STABLE) > 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) > 2009-12-11 02:23:04 UTC (RELENG_7, 7.2-STABLE) > 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6) > 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10) > 2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE) > 2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9) > 2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15) > CVE Name: CVE-2009-4022 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:http://security.FreeBSD.org/>. > > I. Background > > BIND 9 is an implementation of the Domain Name System (DNS) protocols. > The named(8) daemon is an Internet Domain Name Server. > > DNS Security Extensions (DNSSEC) provides data integrity, origin > authentication and authenticated denial of existence to resolvers. > > II. Problem Description > > If a client requests DNSSEC records with the Checking Disabled (CD) flag > set, BIND may cache the unvalidated responses. These responses may later > be returned to another client that has not set the CD flag. > > III. Impact > > If a client can send such queries to a server, it can exploit this > problem to mount a cache poisoning attack, seeding the cache with > unvalidated information. > > IV. Workaround > > Disabling DNSSEC validation will prevent BIND from caching unvalidated > records, but also prevent DNSSEC authentication of records. Systems not > using DNSSEC validation are not affected. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE, > or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or > RELENG_6_3 security branch dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 6.3, 6.4, > 7.1, 7.2, and 8.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 6.3] > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch.asc > > [FreeBSD 6.4] > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch.asc > > [FreeBSD 7.1] > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch.asc > > [FreeBSD 7.2] > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch.asc > > [FreeBSD 8.0] > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/bind > # make obj && make depend && make && make install > # cd /usr/src/usr.sbin/named > # make obj && make depend && make && make install > # /etc/rc.d/named restart > > NOTE WELL: Users running FreeBSD 6 and using DNSSEC are advised to get > a more recent BIND version with more complete DNSSEC support. This > can be done either by upgrading to FreeBSD 7.x or later, or installing > BIND for the FreeBSD Ports Collection. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_6 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.4 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.2 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.11 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.3 > src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.6 > src/contrib/bind9/bin/named/query.c 1.1.1.1.4.7 > RELENG_6_4 > src/UPDATING 1.416.2.40.2.13 > src/sys/conf/newvers.sh 1.69.2.18.2.15 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.3.2.1 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.1.4.1 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.9.2.1 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.1.4.1 > src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.4.2.1 > src/contrib/bind9/bin/named/query.c 1.1.1.1.4.5.2.1 > RELENG_6_3 > src/UPDATING 1.416.2.37.2.20 > src/sys/conf/newvers.sh 1.69.2.15.2.19 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.2.2.1 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.1.2.1 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.6.2.2 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.1.2.1 > src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.3.2.1 > src/contrib/bind9/bin/named/query.c 1.1.1.1.4.4.2.1 > RELENG_7 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.4 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.2.2 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.6 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.3 > src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.5 > src/contrib/bind9/bin/named/query.c 1.1.1.6.2.4 > RELENG_7_2 > src/UPDATING 1.507.2.23.2.9 > src/sys/conf/newvers.sh 1.72.2.11.2.10 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.2.2.1 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.8.1 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.4.2.1 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.1.2.1 > src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.3.2.1 > src/contrib/bind9/bin/named/query.c 1.1.1.6.2.2.2.1 > RELENG_7_1 > src/UPDATING 1.507.2.13.2.13 > src/sys/conf/newvers.sh 1.72.2.9.2.14 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.1.4.1 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.6.1 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.3.2.1 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.6.1 > src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.1.4.1 > src/contrib/bind9/bin/named/query.c 1.1.1.6.2.1.4.1 > RELENG_8 > src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.2 > src/contrib/bind9/lib/dns/include/dns/types.h 1.2.2.2 > src/contrib/bind9/lib/dns/resolver.c 1.6.2.2 > src/contrib/bind9/lib/dns/masterdump.c 1.3.2.2 > src/contrib/bind9/lib/dns/validator.c 1.4.2.2 > src/contrib/bind9/bin/named/query.c 1.3.2.2 > RELENG_8_0 > src/UPDATING 1.632.2.7.2.5 > src/sys/conf/newvers.sh 1.83.2.6.2.5 > src/contrib/bind9/lib/dns/rbtdb.c 1.3.4.1 > src/contrib/bind9/lib/dns/include/dns/types.h 1.2.4.1 > src/contrib/bind9/lib/dns/resolver.c 1.6.4.1 > src/contrib/bind9/lib/dns/masterdump.c 1.3.4.1 > src/contrib/bind9/lib/dns/validator.c 1.4.4.1 > src/contrib/bind9/bin/named/query.c 1.3.4.1 > - ------------------------------------------------------------------------- > > Subversion: > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/6/ r200394 > releng/6.4/ r201679 > releng/6.3/ r201679 > stable/7/ r200393 > releng/7.2/ r201679 > releng/7.1/ r201679 > stable/8/ r200383 > releng/8.0/ r201679 > head/ r199958 > - ------------------------------------------------------------------------- > > VII. References > > https://www.isc.org/node/504 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-10:01.bind.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (FreeBSD) > > iD8DBQFLRQ9dFdaIBMps37IRAip+AJ0S55AYqLsrwrLLMo8Qi6fGxoH7EQCfU/6K > RUb5Kn+O1qc/FUzEQ12AmrA= > =Pfoo > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100107165933.96D1.1F47C451>