Re: Whom the BIND newest vulnerability concerns?

To: Jonathan McDowell <noodles@ox.compsoc.net>
Cc: debian-devel@lists.debian.org
Subject: Re: Whom the BIND newest vulnerability concerns?
From: Tomasz Papszun <tomek@lodz.tpsa.pl>
Date: Fri, 12 Nov 1999 16:45:37 +0100
Message-id: <19991112164537.B30598@lodz.tpsa.pl>
In-reply-to: <19991112131312.B11730@orange.keble.ox.ac.uk>; from Jonathan McDowell on Fri, 12 Nov 1999 at 13:13:12 +0000
References: <19991112140622.A30598@lodz.tpsa.pl> <19991112131312.B11730@orange.keble.ox.ac.uk>

On Fri, 12 Nov 1999 at 13:13:12 +0000, Jonathan McDowell wrote:
> 
> On Fri, Nov 12, 1999 at 02:06:23PM +0100, Tomasz Papszun wrote:
> 
> > the slink (stable) version of bind (1:8.1.25) is relatively old and -
> > according to 
> > http://www.isc.org/products/BIND/bind-security-19991108.html
> > - it contains a few security bugs. 
> > The newest vulnerability _may_ lead to remote root compromise.
> > 
> > Is a corrected package expected?
> > 
> > I'm a little scared of this latest bug... It is connected with "the
> > processing of NXT records". I haven't managed to find a clear description
> > of this type (NXT) records; seems this is quite new type. 
> 
> AIUI NXT support was only introduced in 8.2, so 8.1 should be immune to

Thank you for the answer.
But if a server with version 8.2 has _not_ these NXT records itself, is it
vulnerable due to _outer_ DNS servers or clients?

> this attack, however I think it's vulnerable to at least some of the
> others.

Yes - according to the mentioned URL - to 4 of 6 bugs:

"  The following table summarizes the vulnerability to the bugs mentioned
   in this advisory for all versions of BIND distributed by ISC.
   Upgrading to BIND version 8.2.2 patchlevel 3 is strongly recommended
   for all users of BIND.

   version nxt sig naptr maxdname solinger fdmax
     4.8       -
     4.8.1       -
     4.8.2.1       -
     4.8.3       -
     4.9.3       -
     4.9.4       -
     4.9.4 p1       -
     4.9.5   + + +
     4.9.5 p1   + + +
     4.9.6   + + +
     4.9.7   - + +
     8.1   + + + + +
     8.1.1   + + + + +
     8.1.2   - + + + +
     8.2 + + + + + +
     8.2 p1 + + + + + +
     8.2.1 + + + + + +
     8.2.2 - - + + - -
     8.2.2 p1 - - + + - -
     8.2.2 p2 - - - - - -
     8.2.2 p3 - - - - - - Vulnerable: '+', Not Vulnerable: '-', Feature
   does not exist: '   '	"


Sorry for bad formatting, the original page uses lynx-unfriendly tables.
 
> J.
> 
> -- 
> So long, and thanks for all the fish.                                   
> This .sig was brought to you by the letter G and the numbers 5 & 20
> Product of the Republic of HuggieTag

-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 tomek@lodz.tpsa.pl   http://www.lodz.tpsa.pl/   | ones and zeros.

Reply to:

Follow-Ups:
- Re: Whom the BIND newest vulnerability concerns?
  - From: Jonathan McDowell <noodles@ox.compsoc.net>

References:
- Whom the BIND newest vulnerability concerns?
  - From: Tomasz Papszun <tomek@lodz.tpsa.pl>
- Re: Whom the BIND newest vulnerability concerns?
  - From: Jonathan McDowell <noodles@ox.compsoc.net>

Prev by Date: Re: fakeroot: log open() calls?
Next by Date: Re: Whom the BIND newest vulnerability concerns?
Previous by thread: Re: Whom the BIND newest vulnerability concerns?
Next by thread: Re: Whom the BIND newest vulnerability concerns?
Index(es):
- Date
- Thread