Pardus: Bind: Spoofing
Posted by Benjamin D. Thomas   
A vulnerability has been reported in ISC BIND, which potentially can be exploited by malicious people to conduct spoofing attacks.

------------------------------------------------------------------------
Pardus Linux Security Advisory 2009-05            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2009-01-14
  Severity: 3
      Type: Remote
------------------------------------------------------------------------

Summary
=======

A vulnerability has been reported in ISC BIND, which potentially can be 
exploited by malicious people to conduct spoofing attacks. 


Description
===========

The vulnerability is caused due  to  certain  ISC  BIND  functions  not 
correctly verifying the return value of the OpenSSL "EVP_VerifyFinal()" 
and "DSA_do_verify()" functions when validating the signature of DSA and
NSEC3DSA keys. This may be exploited to e.g. send spoofed responses from
zones using DSA or NSEC3DSA keys. 


Affected packages:

  Pardus 2008:
    bind, all before 9.4.3_p1-20-6
    bind-tools, all before 9.4.3_p1-20-6

  Pardus 2007:
    bind, all before 9.4.3_p1-20-11
    bind-tools, all before 9.4.3_p1-20-16



Resolution
==========

There are update(s) for bind,  bind-tools.  You  can  update  them  via 
Package Manager or with a single command from console: 

  Pardus 2008:
    pisi up bind bind-tools

  Pardus 2007:
    pisi up bind bind-tools


References
==========

  * http://bugs.pardus.org.tr/show_bug.cgi?id=8994
  * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0025