------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-17            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2010-01-26
  Severity: 3
      Type: Remote
------------------------------------------------------------------------

Summary
=======

A vulnerability was found in Bind, which can be exploited by  malicious 
people to add or change  arbitrary  records  into  dns  cache  in  some 
situations. Note that previous fix for the cache poisoning vulnerability
mentioned in PLSA-2009-193 issue was not complete. This is  a  complete 
fix for it. 


Description
===========

There was an error in the DNSSEC NSEC/NSEC3 validation code that  could 
cause bogus NXDOMAIN responses (that is, NXDOMAIN responses for records 
proven by NSEC or NSEC3 to exist) to be cached as if they had validated 
correctly, so that future queries to the resolver would return the bogus
NXDOMAIN with the AD flag set. 



This problem affects  all  DNSSEC-validating  resolvers.  It  would  be 
difficult to exploit due to other existing  protections  against  cache 
poisoning (including transaction ID and source port randomization), but 
it  could impair  the  ability  of  DNSSEC  to   protect   against   a  
denial-of-service attack on a secure zone. 


Affected packages:

  Pardus 2009:
    bind, all before 9.6.1_p3-25-5


Resolution
==========

There are update(s) for bind. You can update them via Package Manager or
with a single command from console: 

    pisi up bind

References
==========

  * http://bugs.pardus.org.tr/show_bug.cgi?id=12105
  * https://bugzilla.redhat.com/show_bug.cgi?id=554851
  * https://www.isc.org/advisories/CVE-2010-0097