From owner-freebsd-security@FreeBSD.ORG Thu Jan 7 08:35:47 2010 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C79C106566C for ; Thu, 7 Jan 2010 08:35:47 +0000 (UTC) (envelope-from uehata@firstserver.co.jp) Received: from fbvrgw.firstserver.ne.jp (fbvrgw.firstserver.ne.jp [164.46.1.51]) by mx1.freebsd.org (Postfix) with ESMTP id A183D8FC14 for ; Thu, 7 Jan 2010 08:35:46 +0000 (UTC) Received: from vrgw9.firstserver.ne.jp (vrgw9.firstserver.ne.jp [164.46.1.107]) by fbvrgw.firstserver.ne.jp (8.14.3/8.13.8/FirstServer) with ESMTP id o078PB5R025469 for ; Thu, 7 Jan 2010 17:25:11 +0900 (JST) (envelope-from uehata@firstserver.co.jp) Received: from fvrsp25.firstserver.ne.jp (fvrsp25.firstserver.ne.jp [203.183.16.3]) by vrgw9.firstserver.ne.jp (8.14.3/8.13.8/FirstServer) with ESMTP id o078PADU016746 for ; Thu, 7 Jan 2010 17:25:10 +0900 (JST) (envelope-from uehata@firstserver.co.jp) Received: from 164.46.1.252 (164.46.1.252) by fvrsp25.firstserver.ne.jp (F-Secure/virusgw_smtp/302/fvrsp25.firstserver.ne.jp); Thu, 7 Jan 2010 17:25:10 +0900 (JST) X-Virus-Status: clean(F-Secure/virusgw_smtp/302/fvrsp25.firstserver.ne.jp) Date: Thu, 07 Jan 2010 17:25:10 +0900 From: Uehata Keiji To: freebsd-security@FreeBSD.org In-Reply-To: <201001062254.o06Msord089040@freefall.freebsd.org> References: <201001062254.o06Msord089040@freefall.freebsd.org> Message-Id: <20100107165933.96D1.1F47C451@firstserver.co.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-2022-JP" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.48.01 [ja] Cc: Subject: Re: ANNOUNCE: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:01.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 08:35:47 -0000 お疲れ様です。上畑@技術Gです。 Yライト、おとくフリーセルは dnssec-enable no;で全て統一設定されていた為、問題ありません。 また 9.3.0からは記述がない場合でもdnssec-enable noがデフォルト値となっている ようです。 以上よろしくお願いします。 --------------------------------------- ファーストサーバ株式会社   運用技術部 技術グループ    上畑 圭史  e-mail:uehata@firstserver.co.jp TEL :050-3160-0763 / 06-6261-3332(代表) FAX :06-6125-1733 URL :http://www.fsv.jp/ http://www.firstserver.co.jp/ 住所:〒541-0052 大阪市中央区安土町1丁目8番15号 野村不動産大阪ビル3F --------------------------------------- > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-10:01.bind Security Advisory > The FreeBSD Project > > Topic: BIND named(8) cache poisoning with DNSSEC validation > > Category: contrib > Module: bind > Announced: 2010-01-06 > Credits: Michael Sinatra > Affects: All supported versions of FreeBSD. > Corrected: 2009-12-11 01:23:58 UTC (RELENG_8, 8.0-STABLE) > 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) > 2009-12-11 02:23:04 UTC (RELENG_7, 7.2-STABLE) > 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6) > 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10) > 2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE) > 2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9) > 2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15) > CVE Name: CVE-2009-4022 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > BIND 9 is an implementation of the Domain Name System (DNS) protocols. > The named(8) daemon is an Internet Domain Name Server. > > DNS Security Extensions (DNSSEC) provides data integrity, origin > authentication and authenticated denial of existence to resolvers. > > II. Problem Description > > If a client requests DNSSEC records with the Checking Disabled (CD) flag > set, BIND may cache the unvalidated responses. These responses may later > be returned to another client that has not set the CD flag. > > III. Impact > > If a client can send such queries to a server, it can exploit this > problem to mount a cache poisoning attack, seeding the cache with > unvalidated information. > > IV. Workaround > > Disabling DNSSEC validation will prevent BIND from caching unvalidated > records, but also prevent DNSSEC authentication of records. Systems not > using DNSSEC validation are not affected. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE, > or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or > RELENG_6_3 security branch dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 6.3, 6.4, > 7.1, 7.2, and 8.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 6.3] > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch.asc > > [FreeBSD 6.4] > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch.asc > > [FreeBSD 7.1] > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch.asc > > [FreeBSD 7.2] > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch.asc > > [FreeBSD 8.0] > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/bind > # make obj && make depend && make && make install > # cd /usr/src/usr.sbin/named > # make obj && make depend && make && make install > # /etc/rc.d/named restart > > NOTE WELL: Users running FreeBSD 6 and using DNSSEC are advised to get > a more recent BIND version with more complete DNSSEC support. This > can be done either by upgrading to FreeBSD 7.x or later, or installing > BIND for the FreeBSD Ports Collection. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_6 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.4 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.2 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.11 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.3 > src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.6 > src/contrib/bind9/bin/named/query.c 1.1.1.1.4.7 > RELENG_6_4 > src/UPDATING 1.416.2.40.2.13 > src/sys/conf/newvers.sh 1.69.2.18.2.15 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.3.2.1 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.1.4.1 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.9.2.1 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.1.4.1 > src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.4.2.1 > src/contrib/bind9/bin/named/query.c 1.1.1.1.4.5.2.1 > RELENG_6_3 > src/UPDATING 1.416.2.37.2.20 > src/sys/conf/newvers.sh 1.69.2.15.2.19 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.2.2.1 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.1.2.1 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.6.2.2 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.1.2.1 > src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.3.2.1 > src/contrib/bind9/bin/named/query.c 1.1.1.1.4.4.2.1 > RELENG_7 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.4 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.2.2 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.6 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.3 > src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.5 > src/contrib/bind9/bin/named/query.c 1.1.1.6.2.4 > RELENG_7_2 > src/UPDATING 1.507.2.23.2.9 > src/sys/conf/newvers.sh 1.72.2.11.2.10 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.2.2.1 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.8.1 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.4.2.1 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.1.2.1 > src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.3.2.1 > src/contrib/bind9/bin/named/query.c 1.1.1.6.2.2.2.1 > RELENG_7_1 > src/UPDATING 1.507.2.13.2.13 > src/sys/conf/newvers.sh 1.72.2.9.2.14 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.1.4.1 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.6.1 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.3.2.1 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.6.1 > src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.1.4.1 > src/contrib/bind9/bin/named/query.c 1.1.1.6.2.1.4.1 > RELENG_8 > src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.2 > src/contrib/bind9/lib/dns/include/dns/types.h 1.2.2.2 > src/contrib/bind9/lib/dns/resolver.c 1.6.2.2 > src/contrib/bind9/lib/dns/masterdump.c 1.3.2.2 > src/contrib/bind9/lib/dns/validator.c 1.4.2.2 > src/contrib/bind9/bin/named/query.c 1.3.2.2 > RELENG_8_0 > src/UPDATING 1.632.2.7.2.5 > src/sys/conf/newvers.sh 1.83.2.6.2.5 > src/contrib/bind9/lib/dns/rbtdb.c 1.3.4.1 > src/contrib/bind9/lib/dns/include/dns/types.h 1.2.4.1 > src/contrib/bind9/lib/dns/resolver.c 1.6.4.1 > src/contrib/bind9/lib/dns/masterdump.c 1.3.4.1 > src/contrib/bind9/lib/dns/validator.c 1.4.4.1 > src/contrib/bind9/bin/named/query.c 1.3.4.1 > - ------------------------------------------------------------------------- > > Subversion: > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/6/ r200394 > releng/6.4/ r201679 > releng/6.3/ r201679 > stable/7/ r200393 > releng/7.2/ r201679 > releng/7.1/ r201679 > stable/8/ r200383 > releng/8.0/ r201679 > head/ r199958 > - ------------------------------------------------------------------------- > > VII. References > > https://www.isc.org/node/504 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-10:01.bind.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (FreeBSD) > > iD8DBQFLRQ9dFdaIBMps37IRAip+AJ0S55AYqLsrwrLLMo8Qi6fGxoH7EQCfU/6K > RUb5Kn+O1qc/FUzEQ12AmrA= > =Pfoo > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" >