Date: Wed, 20 Nov 2002 02:23:17 +0900
From: NetBSD Security Officer <security-officer@netbsd.org.>
To: [email protected]Subject: NetBSD Security Advisory 2002-029: named(8) multiple denial of service and remote execution of code
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-029
Topic: named(8) multiple denial of service and remote execution of code
Version: NetBSD-current: November 15, 2002
NetBSD 1.6: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
pkgsrc: bind-4.9.10 and prior, bind-8.3.3 and prior
Severity: Remote root compromise
Fixed: NetBSD-current: November 15, 2002
NetBSD-1.6 branch: November 16, 2002
NetBSD-1.5 branch: November 16, 2002
pkgsrc: bind-4.9.10nb1, bind-8.3.3nb1
Abstract
========
named(8) version 8.3.3, which is shipped with NetBSD, is vulnerable to
remote execution of malicious code, and multiple denial of service attacks.
Technical Details
=================
http://www.isc.org/products/BIND/bind-security.html
See the sections named: BIND: Remote Execution of Code"
and "BIND: Multiple Denial of Service
Solutions and Workarounds
If you are not running named(8), your system is not affected.
BIND 9 is not affected by these vulnerabilities. Upgrading to BIND 9 is
recommended. BIND 9 is available in the NetBSD Pkgsrc Collection
(pkgsrc/net/bind9).
onfiguration files differ between BIND 8 and 9. Plan such a migration
appropriately.
BIND 8 servers with recursion disabled are not vulnerable to the `BIND SIG
Cached RR Overflow Vulnerability' nor to the `BIND SIG Expiry Time DoS'.
to disable recursion, edit the BIND 8 configuration file (default path
/etc/namedb/named.conf) to add `recursion no;' and `fetch-glue no;' to
the options statement as shown:
options {
recursion no;
fetch-glue no;
/* ... other options ... */
};
The following instructions describe how to upgrade your named
binaries by updating your source tree and rebuilding and
installing a new version of named.
Be sure to restart running instance of named(8) after installation.
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-11-15
should be upgraded to NetBSD-current dated 2002-11-15 or later.
The following directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
dist/bind
usr.sbin/bind
To update from CVS, re-build, and re-install named:
# cd src
# cvs update -d -P dist/bind usr.sbin/bind
# cd usr.sbin/bind
# make obj dependall
# make install
* NetBSD 1.6:
Systems running NetBSD 1.6 dated from before 2002-11-16 should
be upgraded to NetBSD 1.6 dated 2002-11-16 or later.
The following directories need to be updated from the
netbsd-1-6 CVS branch:
dist/bind
usr.sbin/bind
To update from CVS, re-build, and re-install named:
# cd src
# cvs update -d -P -r netbsd-1-6 dist/bind usr.sbin/bind
# cd usr.sbin/bind
# make obj dependall
# make install
* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
Systems running NetBSD 1.5, 1.5.1, 1.5.2 or 1.5.3 dated from before
2002-11-16 should be upgraded to NetBSD 1.5 dated 2002-11-16 or
later.
The following directories need to be updated from the
netbsd-1-5 CVS branch:
dist/bind
usr.sbin/bind
To update from CVS, re-build, and re-install named:
# cd src
# cvs update -d -P -r netbsd-1-5 dist/bind usr.sbin/bind
# cd usr.sbin/bind
# make obj dependall
# make install
* pkgsrc
bind-4.9.10 and prior, as well as bind-8.3.3 and prior are vulnerable.
Upgrade to bind-4.9.10nb1, or bind-8.3.3nb1 (or later).
Thanks To
=========
FreeBSD Security-Officer, for portions of the workaround text.
Revision History
===============
2002-11-20 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-029.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-029.txt,v 1.7 2002/11/19 17:09:59 david Exp $
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBPdpxjj5Ru2/4N2IFAQH26AP/Zn+HG+u0Lwryq/fflxUJLO3Ib3QXZH14
hD/SWfkCExbZmd/5kkDdcMRfe33VTvSqZRw0IRGacErkO8cC8sbUUA9RYxAsxmpG
VMVNGMTaYlFDzGKPzyVmt9/4lAPvtR/Rd/bfJSUEfOIygNcQIvCpYN895aAFBWzl
gL8QNrRO7LY=
=1XM+
-----END PGP SIGNATURE-----
