From debian-security-announce@lists.debian.org Thu Nov 14 13:25:15 2002 From: debian-security-announce@lists.debian.org Resent-From: list@murphy.debian.org (SmartList) To: full-disclosure@lists.netsys.com Date: Thu, 14 Nov 2002 12:04:23 -0500 Reply-To: full-disclosure@lists.netsys.com Subject: [Full-Disclosure] [SECURITY] [DSA-196-1] New BIND packages fix several vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 196-1 security@debian.org http://www.debian.org/security/ Daniel Jacobowitz November 14th, 2002 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : bind Vulnerability : several Problem-Type : remote Debian-specific: no CVE Id : CAN-2002-1219 CAN-2002-1220 CAN-2002-1221 CERT advisory : VU#844360 VU#852283 VU#229595 VU#542971 [Bind version 9, the bind9 package, is not affected by these problems.] ISS X-Force has discovered several serious vulnerabilities in the Berkeley Internet Name Domain Server (BIND). BIND is the most common implementation of the DNS (Domain Name Service) protocol, which is used on the vast majority of DNS servers on the Internet. DNS is a vital Internet protocol that maintains a database of easy-to-remember domain names (host names) and their corresponding numerical IP addresses. Circumstancial evidence suggests that the Internet Software Consortium (ISC), maintainers of BIND, was made aware of these issues in mid-October. Distributors of Open Source operating systems, including Debian, were notified of these vulnerabilities via CERT about 12 hours before the release of the advisories on November 12th. This notification did not include any details that allowed us to identify the vulnerable code, much less prepare timely fixes. Unfortunately ISS and the ISC released their security advisories with only descriptions of the vulnerabilities, without any patches. Even though there were no signs that these exploits are known to the black-hat community, and there were no reports of active attacks, such attacks could have been developed in the meantime - with no fixes available. We can all express our regret at the inability of the ironically named Internet Software Consortium to work with the Internet community in handling this problem. Hopefully this will not become a model for dealing with security issues in the future. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities: 1. CAN-2002-1219: A buffer overflow in BIND 8 versions 8.3.3 and earlier allows a remote attacker to execute arbitrary code via a certain DNS server response containing SIG resource records (RR). This buffer overflow can be exploited to obtain access to the victim host under the account the named process is running with, usually root. 2. CAN-2002-1220: BIND 8 versions 8.3.x through 8.3.3 allows a remote attacker to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size. 3. CAN-2002-1221: BIND 8 versions 8.x through 8.3.3 allows a remote attacker to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference. These problems have been fixed in version 8.3.3-2.0woody1 for the current stable distribution (woody), in 8.2.3-0.potato.3 for the previous stable distribution (potato) and in version 8.3.3-3 for the unstable distribution (sid). The fixed packages for unstable will enter the archive today. We recommend that you upgrade your bind package immediately, update to bind9, or switch to another DNS server implementation. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 2.2 (oldstable) - ---------------------- Oldstable was released for alpha, arm, i386, m68k, powerpc and sparc. Source archives: http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3.dsc Size/MD5 checksum: 630 98f61786fa959c589c0a651868a622f9 http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3.diff.gz Size/MD5 checksum: 162301 be163758728858c77dbee6ae67f9a5d5 http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3.orig.tar.gz Size/MD5 checksum: 2610779 46b88bbdb1487951ddad41f42d96e913 Architecture independent packages: http://security.debian.org/pool/updates/main/b/bind/task-dns-server_8.2.3-0.potato.3_all.deb Size/MD5 checksum: 11784 e75edf3668a5e402a1786ead21dfa2c2 http://security.debian.org/pool/updates/main/b/bind/bind-doc_8.2.3-0.potato.3_all.deb Size/MD5 checksum: 1205360 c238cea2c548ce03599948fa94aa2e7d alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_alpha.deb Size/MD5 checksum: 430518 538b677dcb4df6c0ef601663ff9cf3e7 http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_alpha.deb Size/MD5 checksum: 757704 9f075c3e03d36c393fbeeaf2f5a7b10a http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_alpha.deb Size/MD5 checksum: 450254 c811eda1f1a8212d17d9beeafc892858 arm architecture (ARM) http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_arm.deb Size/MD5 checksum: 348888 b53e413cdd06f1fa422e27e7f318deb9 http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_arm.deb Size/MD5 checksum: 354084 63004fdf3b7babf014e4b55d18f21be0 http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_arm.deb Size/MD5 checksum: 600964 e14cf9feb989058dfce82e42b112c09a i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_i386.deb Size/MD5 checksum: 340444 31b08eaeb38c0df2ed1cb6cb6fa3f5de http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_i386.deb Size/MD5 checksum: 572016 540d025d851c207596f02f293d32dbca http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_i386.deb Size/MD5 checksum: 309622 476724d25b348bdfa3f314bf8777e05a m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_m68k.deb Size/MD5 checksum: 292776 8a6434791431dfb571516650b84d68e1 http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_m68k.deb Size/MD5 checksum: 310122 696bb7556163e30bfd39d3798c2ba094 http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_m68k.deb Size/MD5 checksum: 520006 ff5bb2578be770dcaa209fc9f28e66ae powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_powerpc.deb Size/MD5 checksum: 617500 15b7bc50fa768046c504a03ddafec602 http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_powerpc.deb Size/MD5 checksum: 376410 0305a064cb99e0c8a6946c8f33fcdc0c http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_powerpc.deb Size/MD5 checksum: 371218 7dea62489269317b588df637e5b40298 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/b/bind/bind_8.2.3-0.potato.3_sparc.deb Size/MD5 checksum: 607994 05807466ad228e965b60daeaeb8b3738 http://security.debian.org/pool/updates/main/b/bind/dnsutils_8.2.3-0.potato.3_sparc.deb Size/MD5 checksum: 368582 6dec11c8f07deb83622632e99875d601 http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.2.3-0.potato.3_sparc.deb Size/MD5 checksum: 335440 51a7f16483360f834f19577def32198f Debian 3.0 (stable) - ------------------- Stable was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1.dsc Size/MD5 checksum: 639 0a65835e20faaba4f351b34330b7aa2c http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1.diff.gz Size/MD5 checksum: 31430 d7ff2bae2f2233c0a6588fbea3dd9964 http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3.orig.tar.gz Size/MD5 checksum: 2713120 847ba93d1ac71b94560c002c9f730100 Architecture independent packages: http://security.debian.org/pool/updates/main/b/bind/bind-doc_8.3.3-2.0woody1_all.deb Size/MD5 checksum: 1290726 0634671f5432f7a8c348e9624e64d349 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_alpha.deb Size/MD5 checksum: 999188 f2b729eb9f85b55d8a71db3e44db825a http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_alpha.deb Size/MD5 checksum: 509272 402cd93961d836a8e4cf491655ae0a29 arm architecture (ARM) http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_arm.deb Size/MD5 checksum: 826484 2a2abd103a460071f380ac501de6ee63 http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_arm.deb Size/MD5 checksum: 426982 657a181d3781da2db5e434c1199c7628 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_hppa.deb Size/MD5 checksum: 921372 6193f53e7d6f676ab306ffb81b4df10d http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_hppa.deb Size/MD5 checksum: 475096 a948f910047cbad89d1c7ff26faacfae i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_i386.deb Size/MD5 checksum: 381878 12c0435300e4a879037895d3bb7f2ddc http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_i386.deb Size/MD5 checksum: 793562 27e5c151a7acda692fc332f4db9ce218 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_ia64.deb Size/MD5 checksum: 1285738 5a72e98954d09e5cf3c5caaaf05f5f34 http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_ia64.deb Size/MD5 checksum: 575798 bfc630343fc7a88f5ce005e387ee9639 m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_m68k.deb Size/MD5 checksum: 362654 c6712c1d7f17daab556dbfe4a1823b99 http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_m68k.deb Size/MD5 checksum: 720556 67e91d9890a14be213407ecc8c993bab mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_mips.deb Size/MD5 checksum: 926866 c76bc7407b6c67b507ab5cd33a4618e1 http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_mips.deb Size/MD5 checksum: 469762 75e3f4d14f742fa2fb44e0d4c9b7623d mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_mipsel.deb Size/MD5 checksum: 934246 c00972ae586cfd8a4475a932a35ca04a http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_mipsel.deb Size/MD5 checksum: 470648 6271291263bfbfb4e14733d02c560fa0 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_powerpc.deb Size/MD5 checksum: 451604 b9459ac7c9554f0276bef06762257785 http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_powerpc.deb Size/MD5 checksum: 851852 85e204bc94b1a0bb2fd02c0d4717400a s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_s390.deb Size/MD5 checksum: 797738 101ec9c552bcf99618a08abb07209406 http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_s390.deb Size/MD5 checksum: 387006 3ba683f9d05c411897432aee90566024 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/b/bind/bind-dev_8.3.3-2.0woody1_sparc.deb Size/MD5 checksum: 408732 e4463b87c64a6d08863c470e757a6dd2 http://security.debian.org/pool/updates/main/b/bind/bind_8.3.3-2.0woody1_sparc.deb Size/MD5 checksum: 839566 b42c13cdc206437eb3a5353d86e34201 These files will probably be moved into the stable distribution on its next revision. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE909c5bgOPXuCjg3cRAqjYAJwIr0RACSJUzhbWhS5tyDls4H0TqQCdHQNS 1Jr9O6UgS5W0S6oXCCp5Ulc= =ju51 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html