CERT mailing list archives
Current Activity - Internet Systems Consortium BIND Vulnerabilities
From: Current Activity <us-cert () us-cert gov>
Date: Thu, 2 Dec 2010 09:32:07 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 US-CERT Current Activity Internet Systems Consortium BIND Vulnerabilities Original release date: December 2, 2010 at 9:22 am Last revised: December 2, 2010 at 9:22 am The Internet Systems Consortium (ISC) has released three advisories to address multiple vulnerabilities affecting BIND. The first advisory, CVE-2010-3613, addresses a vulnerability in BIND versions 9.6.2 to 9.6.2-P2, 9.6-ESV to 9.6-ESV-R2, and 9.70 to 9.7.2-P2. This vulnerability exists when cache incorrectly allows an ncache entry and a rrsig for the same type. Exploitation of this vulnerability may allow a remote attacker to cause a denial-of-service condition. Additional information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#706148. The second advisory, CVE-2010-3614, addresses a vulnerability in BIND versions 9.0.x to 9.7.2-P2, 9.4-ESV to 9.4-ESV-R3, and 9.6-ESV to 9.6-ESV-R2. This vulnerability exists when "named" incorrectly marks zone data as insecure when the zone being queried is undergoing a key algorithm rollover. Exploitation of this vulnerability may allow answers to be incorrectly marked as insecure. Additional information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#837744. The third advisory, CVE-2010-3615, addresses a vulnerability in BIND version 9.7.2-P2. This vulnerability is due to the incorrect processing of "allow-query". Exploitation of this vulnerability may allow a remote attacker to bypass access restrictions. Additional information regarding this vulnerability can be found in US-CERT Vulnerability Note VU#510208. US-CERT encourages users and administrators to review the advisories listed above and apply any necessary updates to help mitigate the risks. Because OpenSSL is often packaged in larger third-party applications or operating system distributions, users and administrators should check with their software vendors for updated versions. Relevant Url(s): <https://www.isc.org/software/bind/advisories/cve-2010-3613> <https://www.isc.org/software/bind/advisories/cve-2010-3615> <https://www.isc.org/software/bind/advisories/cve-2010-3614> <http://www.kb.cert.org/vuls/id/510208> <http://www.kb.cert.org/vuls/id/837744> <http://www.kb.cert.org/vuls/id/706148> ==== This entry is available at http://www.us-cert.gov/current/index.html#internet_systems_consortium_bind_vulnerabilities -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTPet2T6pPKYJORa3AQJzuAf/RJgT5V0uXdKhfJ1KYLWZJuJyvVvw+Huu sMdEBDXgeAF9YFDyfd+ocRGKVlcyn6wxXmtyVqMsCS/TbEL7gGH/5wG4SlioF/3r KbnJy2BDLHTdqGJ6czqoi7eT1RPkK1+1XXtgE8ZwyfWPpE0tMBaxyi9J1LaI28Ex HnnXCOkoFz8a8gfjQmQhUEERehwjrdUwwg5WOWLfbZ90YmmYSfTtr+FtgAvEglpU Sr+Sg8vTX2iGndFcrifPGX1BdSanY3JzWqdxnIi/6MfXwDcqHLzqv9Ywvy1pHiPp 80jCymDyiAt0kBG7B0VXQqlWgiCe6vK2vQnur0VpNWCJ3pWqh9JLQw== =LTaB -----END PGP SIGNATURE-----
Current thread:
- Current Activity - Internet Systems Consortium BIND Vulnerabilities Current Activity (Dec 02)