A vulnerability has been reported in ISC BIND, which potentially can be exploited by malicious people to conduct spoofing attacks.
------------------------------------------------------------------------
Pardus Linux Security Advisory 2009-05 security@pardus.org.tr
------------------------------------------------------------------------
Date: 2009-01-14
Severity: 3
Type: Remote
------------------------------------------------------------------------
Summary
=======
A vulnerability has been reported in ISC BIND, which potentially can be
exploited by malicious people to conduct spoofing attacks.
Description
===========
The vulnerability is caused due to certain ISC BIND functions not
correctly verifying the return value of the OpenSSL "EVP_VerifyFinal()"
and "DSA_do_verify()" functions when validating the signature of DSA and
NSEC3DSA keys. This may be exploited to e.g. send spoofed responses from
zones using DSA or NSEC3DSA keys.
Affected packages:
Pardus 2008:
bind, all before 9.4.3_p1-20-6
bind-tools, all before 9.4.3_p1-20-6
Pardus 2007:
bind, all before 9.4.3_p1-20-11
bind-tools, all before 9.4.3_p1-20-16
Resolution
==========
There are update(s) for bind, bind-tools. You can update them via
Package Manager or with a single command from console:
Pardus 2008:
pisi up bind bind-tools
Pardus 2007:
pisi up bind bind-tools
References
==========
* http://bugs.pardus.org.tr/show_bug.cgi?id=8994
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0025