BIND8: Multiple vulnerabilities
| Package(s): | bind | CVE #(s): | CAN-2002-1219 CAN-2002-1220 CAN-2002-1221 | ||||||||||||||||||||||||||||||||||||
| Created: | November 13, 2002 | Updated: | March 6, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | Three new vulnerabilities have been found in version 8 of the Berkeley
Internet Domain Server; see this
ISS advisory, the CERT Advisory
CA-2002-31, or the November 14 LWN
Security Page for details.
Red Hat has sent out an alert (not a regular advisory) suggesting that customers apply its previous BIND updates, which upgrade the system to BIND9. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
Posted Nov 24, 2002 14:08 UTC (Sun)
by stock (guest, #5849)
[Link]
Hi, I just read your article "Caught in a BIND" Where you state the following : " Sadly, most BIND configurations will allow recursion from any address -- When the Internet was designed, nobody imagined swarms of thousands of Well allthough i agree with you, here's a example where DNS admins with http://crashrecovery.org/named/ Your conclusion which states transitioning to bind 9 is painfull is IMHO cheers, Robert In the wise words of Robert M. Stockmann: > Your conclusion which states transitioning to bind 9 is painfull is IMHO It's painful for ISPs, like the one I worked at with 10,000 zone It's also painful if you have only ten or twenty zone records with Thanks for your note --- it's always good to hear from readers!
Date: Fri, 22 Nov 2002 07:17:41 +0100 (CET)BIND8: Multiple vulnerabilities
From: Robert M. Stockmann <stock@stokkie.net>
To: jon@lasser.org
Subject: simple bind 9.2.1 example
http://theregister.co.uk/content/55/28235.html
If you're saddled with an old version, take heart. With the latest security
holes, the programs are vulnerable only when acting as recursive name
servers. In brief, this means that the holes only affect servers that can
look up any address on the Internet. Your name servers should not respond to
such requests from external addresses anyway: to do so opens the door to DNS
cache poisoning attacks. Your name servers should respond only to
authoritative requests from outside your network, and allow recursion only
within the network.
that's the default configuration of BIND, another situation that the Internet
Software Consortium should resolve.
six-foot-tall jet-black stealth woodpeckers. Today they're here, and it's
time our architects took the woodpeckers into account.
"
basic skills could easily generate and figure out how to make their
setups secure :
not true, but merely a matter of having accessable documentation with
usefull examples.
--
Robert M. Stockmann - RHCE
Network Engineer - UNIX Consultant
crashrecovery.org stock@stokkie.net
========================================================================
Date: Fri, 22 Nov 2002 10:41:49 -0500
From: J. Lasser <jon@lasser.org>
To: Robert M. Stockmann <stock@stokkie.net>
Subject: Re: simple bind 9.2.1 example
> not true, but merely a matter of having accessable documentation with
> usefull examples.
records. Each of which was broken.
various errors and not a lot of time.
Jon
--
Jon Lasser
Home: jon@lasser.org | Work:jon@cluestickconsulting.com
http://www.tux.org/~lasser/ | http://www.cluestickconsulting.com
Buy my book, _Think_Unix_! http://www.tux.org/~lasser/think-unix/