CERT bind alert.

To: debian-devel@lists.debian.org
Cc: Henry Hollenberg <speed@barney.iamerica.net>
Subject: CERT bind alert.
From: Robert Woodcock <rcw@oz.net>
Date: Thu, 9 Apr 1998 07:19:01 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.980409070829.418A-100000@mercury.oz.net>

Henry Hollenberg <speed@barney.iamerica.net> wrote:
> Has anyone assesed the impact of the bind exploit announced by CERT
> today.

> I'm using bind_4.9.6-1.deb, so would be curious as to where I stood,
> what the fixes were.

> Thanks

>        Henry Hollenberg     speed@barney.iamerica.net

Ya know what sucks?

I worked my butt off to get it patched and packaged up, made the .deb's,
got them uploaded a few places:

ftp://ftp.linpeople.org/pub/Software/Bind/bind_8.1.1-7.1_i386.deb
http://www.oz.net/~rcw/bind_8.1.1-7.1_i386.deb

And then I was in the middle of composing a message to this list with a
big scary subject like "SECURITY FIX:" which forced me to quote the CERT
advisory (causing me to *read* it :)...

>Date: Wed, 8 Apr 1998 17:45:08 -0400
>From: CERT Advisory <cert-advisory@cert.org>
>To: cert-advisory@coal.cert.org
>Subject: CERT Advisory CA-98.05 - bind_problems
>Reply-To: cert-advisory-request@cert.org
>Organization: CERT(sm) Coordination Center -  +1 412-268-7090
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>=============================================================================
>CERT* Advisory CA-98.05
>Original issue date: April 08, 1998
>
>Topic: Multiple Vulnerabilities in BIND
>        1. Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases
>        2. Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases
>        3. Denial-of-Service Vulnerability in BIND 8 Releases
[...]
>II.  Impact
>
>     Topic 1: A remote intruder can gain root-level access to your name server.
>
>     Topics 2 and 3: A remote intruder is able to disrupt normal operation of
>     your name server.
[...]
>*************************************************************************
>Topic 1: Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases
>*************************************************************************
>
>1.A. Description
>
>     BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to 8.1.2
>     do not properly bounds check a memory copy when responding to an inverse
>     query request. An improperly or maliciously formatted inverse query on a
>     TCP stream can crash the server or allow an attacker to gain root
>     privileges.
>
>1.B. Determining if your system is vulnerable
>
>     The inverse query feature is disabled by default, so only the systems
>     that have been explicitly configured to allow it are vulnerable.
>
>     BIND 8
>        Look at the "options" block in the configuration file (typically
>        /etc/named.conf). If there is a "fake-iquery yes;" line, then the
>        server is vulnerable.

So, you can't get root on the existing package unless you enabled the
fake-iquery option.

Well that right there ticked me off enough to make me cancel the
message, give up and go to sleep and let Johnie Ingram package up 8.1.2.
(which was designated beta last I heard...)
--
Robert Woodcock - rcw@oz.net
All I want is a warm bed and a kind word and unlimited power.
		-- Ashleigh Brilliant


--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Prev by Date: Re: base-files 1.6 (source all) uploaded to master
Next by Date: I'm away for six days
Previous by thread: CERT bind alert.
Next by thread: Why isn't "/var/run" drwxrwxrwt ?
Index(es):
- Date
- Thread