LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 29th, 2014
Linux Security Week: August 25th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: [ MDVSA-2009:037 ] bind Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077 and CVE-2009-0025. In this particular case the DSA_verify function was fixed with MDVSA-2009:002, this update does however address the RSA_verify function (CVE-2009-0265).
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:037
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : bind
 Date    : February 16, 2009
 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not
 properly check the return value from the OpenSSL EVP_VerifyFinal
 function, which allows remote attackers to bypass validation of
 the certificate chain via a malformed SSL/TLS signature, a similar
 vulnerability to CVE-2008-5077 and CVE-2009-0025.
 
 In this particular case the DSA_verify function was fixed with
 MDVSA-2009:002, this update does however address the RSA_verify
 function (CVE-2009-0265).
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 1995bb55159c0b12b434c57b7c32a305  2008.0/i586/bind-9.4.2-1.3mdv2008.0.i586.rpm
 7942542098d37b1be3b3cc45ed824a3a  2008.0/i586/bind-devel-9.4.2-1.3mdv2008.0.i586.rpm
 88a21619673fe9b541579f287bee4ca4  2008.0/i586/bind-utils-9.4.2-1.3mdv2008.0.i586.rpm 
 4a8ba040ab7d3fb9c710bcfeb7601ff9  2008.0/SRPMS/bind-9.4.2-1.3mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 45a0c84471cbf3c31da2f51b07e5dcdd  2008.0/x86_64/bind-9.4.2-1.3mdv2008.0.x86_64.rpm
 83e3b9c4af4789fc9156887373e190ad  2008.0/x86_64/bind-devel-9.4.2-1.3mdv2008.0.x86_64.rpm
 a1d910a92913bb809e976963335d3ec9  2008.0/x86_64/bind-utils-9.4.2-1.3mdv2008.0.x86_64.rpm 
 4a8ba040ab7d3fb9c710bcfeb7601ff9  2008.0/SRPMS/bind-9.4.2-1.3mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 b1d620b91aeeeda30eddde159f458aa9  2008.1/i586/bind-9.5.0-3.3mdv2008.1.i586.rpm
 6266f0be18de71d9d9674f4773fbc720  2008.1/i586/bind-devel-9.5.0-3.3mdv2008.1.i586.rpm
 a08062c8bd8ce1395525d7775eaefc71  2008.1/i586/bind-doc-9.5.0-3.3mdv2008.1.i586.rpm
 c0aa3cf70be87286222ddcec64933ddd  2008.1/i586/bind-utils-9.5.0-3.3mdv2008.1.i586.rpm 
 209ce678e0643ba458c59b279326ca57  2008.1/SRPMS/bind-9.5.0-3.3mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 46af49a5a461d6da93441fcfc46f9324  2008.1/x86_64/bind-9.5.0-3.3mdv2008.1.x86_64.rpm
 ca7a532053219a09a57f6ec7203d1ced  2008.1/x86_64/bind-devel-9.5.0-3.3mdv2008.1.x86_64.rpm
 7cea9c996e69430c51de22e3e0bff929  2008.1/x86_64/bind-doc-9.5.0-3.3mdv2008.1.x86_64.rpm
 fe5816ec0c790a0bef2ddb1df281af12  2008.1/x86_64/bind-utils-9.5.0-3.3mdv2008.1.x86_64.rpm 
 209ce678e0643ba458c59b279326ca57  2008.1/SRPMS/bind-9.5.0-3.3mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 5da06c9a5d6f211c4dec3ba08e96b436  2009.0/i586/bind-9.5.0-6.3mdv2009.0.i586.rpm
 5d44ff32935f2323491a96ac4a01a254  2009.0/i586/bind-devel-9.5.0-6.3mdv2009.0.i586.rpm
 9640415878cb94e4d7cb6325ecf3c196  2009.0/i586/bind-doc-9.5.0-6.3mdv2009.0.i586.rpm
 69c0964ae640f731b82607059aa86873  2009.0/i586/bind-utils-9.5.0-6.3mdv2009.0.i586.rpm 
 21042dd8411237227c4cc18eade02d07  2009.0/SRPMS/bind-9.5.0-6.3mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 6aa7b310659ebc0f2d285aac499966f4  2009.0/x86_64/bind-9.5.0-6.3mdv2009.0.x86_64.rpm
 0f4843c929135d38494c155eb5517958  2009.0/x86_64/bind-devel-9.5.0-6.3mdv2009.0.x86_64.rpm
 e3398d5b0e877cf6b6a2413e5f9546f4  2009.0/x86_64/bind-doc-9.5.0-6.3mdv2009.0.x86_64.rpm
 24a0d8fafe7c210bc85434983cc2eeb1  2009.0/x86_64/bind-utils-9.5.0-6.3mdv2009.0.x86_64.rpm 
 21042dd8411237227c4cc18eade02d07  2009.0/SRPMS/bind-9.5.0-6.3mdv2009.0.src.rpm

 Corporate 3.0:
 3c9378a0167e263e83d9105ac7d0566e  corporate/3.0/i586/bind-9.2.3-6.7.C30mdk.i586.rpm
 fc5c1335f1a85e450d3dd20ed81e621f  corporate/3.0/i586/bind-devel-9.2.3-6.7.C30mdk.i586.rpm
 8e1a0a718eb51de4e70b9287266b0c75  corporate/3.0/i586/bind-utils-9.2.3-6.7.C30mdk.i586.rpm 
 c7e931c9818e0731ed32c12e7e9011b4  corporate/3.0/SRPMS/bind-9.2.3-6.7.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 cd4653ae14e91c5844d87321ea237c7c  corporate/3.0/x86_64/bind-9.2.3-6.7.C30mdk.x86_64.rpm
 708b8bbdb1fa1d2150c8cb5208bf8d24  corporate/3.0/x86_64/bind-devel-9.2.3-6.7.C30mdk.x86_64.rpm
 7a3cc2cbe29c9c8397bdcdcd63b543fc  corporate/3.0/x86_64/bind-utils-9.2.3-6.7.C30mdk.x86_64.rpm 
 c7e931c9818e0731ed32c12e7e9011b4  corporate/3.0/SRPMS/bind-9.2.3-6.7.C30mdk.src.rpm

 Corporate 4.0:
 91ee1fc0fa2836df33aad4c3ee72ab8d  corporate/4.0/i586/bind-9.3.5-0.6.20060mlcs4.i586.rpm
 9687a3135e2f364defc1805be357afe5  corporate/4.0/i586/bind-devel-9.3.5-0.6.20060mlcs4.i586.rpm
 1796c645d6562c03e75653a8a2de65ab  corporate/4.0/i586/bind-utils-9.3.5-0.6.20060mlcs4.i586.rpm 
 ec3f68ba6cb3085f82d6fe824e80229f  corporate/4.0/SRPMS/bind-9.3.5-0.6.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 744a195594365d711938d0e40305f780  corporate/4.0/x86_64/bind-9.3.5-0.6.20060mlcs4.x86_64.rpm
 4432e2d80856fa42f7fbb19f1f45e65d  corporate/4.0/x86_64/bind-devel-9.3.5-0.6.20060mlcs4.x86_64.rpm
 7979fca8fc5e3ed01ac1bd7f36ab32f5  corporate/4.0/x86_64/bind-utils-9.3.5-0.6.20060mlcs4.x86_64.rpm 
 ec3f68ba6cb3085f82d6fe824e80229f  corporate/4.0/SRPMS/bind-9.3.5-0.6.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 96ca05a11155c146b2c7a4a38b0758a8  mnf/2.0/i586/bind-9.2.3-6.7.C30mdk.i586.rpm
 483d397793d0fa3c4f10c9115f637fff  mnf/2.0/i586/bind-devel-9.2.3-6.7.C30mdk.i586.rpm
 174fa247aea0b3a5b5f2ebaeeeda62a0  mnf/2.0/i586/bind-utils-9.2.3-6.7.C30mdk.i586.rpm 
 169abf8a396dbb7ce2b1ccd1f1d68952  mnf/2.0/SRPMS/bind-9.2.3-6.7.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
How Cops and Hackers Could Abuse California’s New Phone Kill-Switch Law
Why Russian hackers are beating us
DQ Breach? HQ Says No, But Would it Know?
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.