oss-sec mailing list archives
Re: a new bind issue
From: Josh Bressers <bressers () redhat com>
Date: Tue, 24 Nov 2009 13:40:10 -0500 (EST)
CVE-2009-4022 Bind versions 9.0.x, 9.1.x, 9.2.x, 9.3.x, 9.4.0 before 9.4.3-P3, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.6.1-P1 References: https://www.isc.org/node/504 http://www.kb.cert.org/vuls/id/418861 https://bugzilla.redhat.com/show_bug.cgi?id=538744 Thanks. -- JB ----- "Oden Eriksson" <oeriksson () mandriva com> wrote:
Hello.
A new bind release is out there, it mentions:
"It addresses a potential cache poisoning vulnerability, in which data
in the
additional section of a response could be cached without proper DNSSEC
validation."
"2772. [security] When validating, track whether pending data
was from
the additional section or not and only return
it if
validates as secure. [RT #20438]"
A CVE should probably be assigned.
--
Regards // Oden Eriksson
Security team manager - Mandriva
Current thread:
- a new bind issue Oden Eriksson (Nov 24)
- Re: a new bind issue Josh Bressers (Nov 24)
- <Possible follow-ups>
- Re: a new bind issue Josh Bressers (Nov 24)
- Re: a new bind issue Steven M. Christey (Nov 24)
- Re: a new bind issue Josh Bressers (Nov 24)
- Re: a new bind issue Steven M. Christey (Nov 24)