[25713] in bugtraq
Security Update: [CSSA-2002-SCO.24] Open UNIX 8.0.0 : BIND 9 Denial-of-Service vulnerability
daemon@ATHENA.MIT.EDU (security@caldera.com)
Mon Jun 10 18:45:51 2002
To: bugtraq@securityfocus.com, announce@lists.caldera.com,
scoannmod@xenitec.on.ca
From: security@caldera.com
Date: Mon, 10 Jun 2002 15:31:35 -0700
Message-ID: <20020610153135.I6833@caldera.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="KsGdsel6WgEHnImy"
Content-Disposition: inline
--KsGdsel6WgEHnImy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
To: bugtraq@securityfocus.com announce@lists.caldera.com scoannmod@xenitec.on.ca
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Open UNIX 8.0.0 : BIND 9 Denial-of-Service vulnerability
Advisory number: CSSA-2002-SCO.24
Issue date: 2002 June 10
Cross reference:
______________________________________________________________________________
1. Problem Description
An assertion failure in BIND version 9 can be triggered by
certain responses, leading to a denial of service attack.
This security fix updates BIND to version 9.2.1.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
Open UNIX 8.0.0 /usr/sbin/dig
/usr/sbin/dnssec-keygen
/usr/sbin/dnssec-makekeyset
/usr/sbin/dnssec-signkey
/usr/sbin/dnssec-signzone
/usr/sbin/host
/usr/sbin/in.named
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/ndc
/usr/sbin/nslookup
/usr/sbin/nsupdate
/usr/sbin/rndc
3. Solution
The proper solution is to install the latest packages.
4. Open UNIX 8.0.0
4.1 Location of Fixed Binaries
ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.24
4.2 Verification
MD5 (erg712061.pkg.Z) = 14427a77db777d8d630ca906b27d7582
md5 is available for download from
ftp://ftp.caldera.com/pub/security/tools
4.3 Installing Fixed Binaries
Upgrade the affected binaries with the following commands:
Download erg712061.pkg.Z to the /var/spool/pkg directory
# uncompress /var/spool/pkg/erg712061.pkg.Z
# pkgadd -d /var/spool/pkg/erg712061.pkg
5. References
Specific references for this advisory:
http://www.kb.cert.org/vuls/id/739123
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0400
Caldera security resources:
http://www.caldera.com/support/security/index.html
This security fix closes Caldera incidents sr865147, fz521091
and erg712061.
6. Disclaimer
Caldera International, Inc. is not responsible for the
misuse of any of the information we provide on this website
and/or through our security advisories. Our advisories are
a service to our customers intended to promote secure
installation and use of Caldera products.
7. Acknowledgements
The Internet Software Consortium discovered and researched
this vulnerability.
______________________________________________________________________________
--KsGdsel6WgEHnImy
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj0FKMcACgkQaqoBO7ipriFQfwCaAxxlYE7AI1AxMs1TItcvgCMN
sUcAoKBT1IdsvakR8p4OchbfCoB6Agyc
=vu+s
-----END PGP SIGNATURE-----
--KsGdsel6WgEHnImy--
