[Security Announce] [ MDKSA-2007:149 ] - Updated BIND9 packages fix vulnerabilities
Posted on: 07/25/2007 11:45 PM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:149
http://www.mandriva.com/security/
_______________________________________________________________________

Package : bind
Date : December 31, 1969
Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

The DNS query id generation code in BIND9 is vulnerable to
cryptographic analysis which provides a 1-in-8 change of guessing the
next query ID for 50% of the query IDs, which could be used by a remote
attacker to perform cache poisoning by an attacker (CVE-2007-2926).

As well, in BIND9 9.4.x, the default ACLs were note being correctly
set, which could allow anyone to make recursive queries and/or query
the cache contents (CVE-2007-2925).

This update provides packages which are patched to prevent these
issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2925
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
http://www.isc.org/index.pl?/sw/bind/bind-security.php
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.0:
2ebbd9a8148b7b4f05d255724627e348 2007.0/i586/bind-9.3.2-8.3mdv2007.0.i586.rpm
386aa2bab5b3e23cb0c6f19bc17b0cd5 2007.0/i586/bind-devel-9.3.2-8.3mdv2007.0.i586.rpm
d8e4b592f2d0fa630e32c23c50ab2565 2007.0/i586/bind-utils-9.3.2-8.3mdv2007.0.i586.rpm
557c41948b1ff0e4f329e2592c0dcb9f 2007.0/SRPMS/bind-9.3.2-8.3mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
7fe09bf456f8a4d83ee7e4caad08b791 2007.0/x86_64/bind-9.3.2-8.3mdv2007.0.x86_64.rpm
e5d4a371c47e6a6f6567c454766ea734 2007.0/x86_64/bind-devel-9.3.2-8.3mdv2007.0.x86_64.rpm
5a41c963b1e5fab7515856f14ec4c3c4 2007.0/x86_64/bind-utils-9.3.2-8.3mdv2007.0.x86_64.rpm
557c41948b1ff0e4f329e2592c0dcb9f 2007.0/SRPMS/bind-9.3.2-8.3mdv2007.0.src.rpm

Mandriva Linux 2007.1:
c5edcec0bc385a1a2c717963b0f15dc0 2007.1/i586/bind-9.4.1-0.2mdv2007.1.i586.rpm
9c579fed148a85a852b73828613cafde 2007.1/i586/bind-devel-9.4.1-0.2mdv2007.1.i586.rpm
9a761cb0c7128b83522934b2d9cc2dfc 2007.1/i586/bind-utils-9.4.1-0.2mdv2007.1.i586.rpm
af14ae7948a33b1bf21d9bcafbf0e98e 2007.1/SRPMS/bind-9.4.1-0.2mdv2007.1.src.rpm

Mandriva Linux 2007.1/X86_64:
7a612949e7810f83e1322a574be9500c 2007.1/x86_64/bind-9.4.1-0.2mdv2007.1.x86_64.rpm
ece5e802b3d5928999c34b1f9c95dfc8 2007.1/x86_64/bind-devel-9.4.1-0.2mdv2007.1.x86_64.rpm
b3ccec62bfc5d07b9858f04ce8de8fd1 2007.1/x86_64/bind-utils-9.4.1-0.2mdv2007.1.x86_64.rpm
af14ae7948a33b1bf21d9bcafbf0e98e 2007.1/SRPMS/bind-9.4.1-0.2mdv2007.1.src.rpm

Corporate 3.0:
d0dae82e4a5f3e1e4c13c8886daa7e7b corporate/3.0/i586/bind-9.2.3-6.4.C30mdk.i586.rpm
237a8a3b0d0f3407a93a7f308eb7ac06 corporate/3.0/i586/bind-devel-9.2.3-6.4.C30mdk.i586.rpm
abcf17e76c7cdf8ec8e6bbef2adfd79c corporate/3.0/i586/bind-utils-9.2.3-6.4.C30mdk.i586.rpm
bf83bec867df0283d4977e50b8a51a09 corporate/3.0/SRPMS/bind-9.2.3-6.4.C30mdk.src.rpm

Corporate 3.0/X86_64:
1394468eeb12fb9c2c52147eb1637a83 corporate/3.0/x86_64/bind-9.2.3-6.4.C30mdk.x86_64.rpm
cd488003e8eb7174aa844896ace756f2 corporate/3.0/x86_64/bind-devel-9.2.3-6.4.C30mdk.x86_64.rpm
f2fb153097f51bc2e99e31051b8b83cb corporate/3.0/x86_64/bind-utils-9.2.3-6.4.C30mdk.x86_64.rpm
bf83bec867df0283d4977e50b8a51a09 corporate/3.0/SRPMS/bind-9.2.3-6.4.C30mdk.src.rpm

Corporate 4.0:
324fe3327eada40144bf44b4a31ba869 corporate/4.0/i586/bind-9.3.2-7.3.20060mlcs4.i586.rpm
c2f1b22c3edd38f9a8c87d96ca36b271 corporate/4.0/i586/bind-devel-9.3.2-7.3.20060mlcs4.i586.rpm
6f1cc8352c44a5ecf3affaf86981d505 corporate/4.0/i586/bind-utils-9.3.2-7.3.20060mlcs4.i586.rpm
e36c4caca840fb114238bffa3875e8a5 corporate/4.0/SRPMS/bind-9.3.2-7.3.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
c7a8dfd717b9a09d8dc41a3cb965dc5b corporate/4.0/x86_64/bind-9.3.2-7.3.20060mlcs4.x86_64.rpm
138e7372d556d5d9e4752fd8b0f2a51f corporate/4.0/x86_64/bind-devel-9.3.2-7.3.20060mlcs4.x86_64.rpm
bea2637f03f65bb5348518be66829d73 corporate/4.0/x86_64/bind-utils-9.3.2-7.3.20060mlcs4.x86_64.rpm
e36c4caca840fb114238bffa3875e8a5 corporate/4.0/SRPMS/bind-9.3.2-7.3.20060mlcs4.src.rpm

Multi Network Firewall 2.0:
518dcd7390cbb5e05d2303ca1743c793 mnf/2.0/i586/bind-9.2.3-6.4.M20mdk.i586.rpm
22b28fe7739525ac2fe596a522473c32 mnf/2.0/i586/bind-devel-9.2.3-6.4.M20mdk.i586.rpm
a6cb4e78f4f0f59a173ac58abd50011c mnf/2.0/i586/bind-utils-9.2.3-6.4.M20mdk.i586.rpm
00a33a7531bbf5bad6d74bb9f3978a78 mnf/2.0/SRPMS/bind-9.2.3-6.4.M20mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGp5JimqjQ0CJFipgRAqD6AJ9OTBYJpKC/KgUUCTznXm0MpPuWTQCfcVP9
ZQO+2o8wd82rf9m4/arm09M=
=vTH7
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2007149__updated_bind9_packages_fix_vulnerabilities.html)