LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

July 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS July 2009

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Security ERRATA Important: bind security for SL 4.x on i386/x86_64
From:	"P. Larry Nelson" <[log in to unmask]>
Reply To:	P. Larry Nelson
Date:	Thu, 30 Jul 2009 15:23:12 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (74 lines)

Connie,

On every SL4.7 system I tried, doing a 'yum update', I'm getting
"No Packages marked for Update/Obsoletion".

Checking which bind-libs and bind-utils I have, I'm getting
version: 9.2.4-30.el4_7.1.

Now, the weird part - I first tried (after the message below arrived)
on my test virtual system SL4.7 (guest OS on VMWare) with 'yum update'
and (besides the new kernel) I got version: 9.2.4-30.el4_8.4 of the
bind rpm's.

- Larry

Connie Sieh wrote on 7/30/2009 12:31 PM:
> Synopsis:          Important: bind security and bug fix update
> CVE:               CVE-2009-0696
> 
>   CVE-2009-0696 bind: DoS (assertion failure) via nsupdate packets
> 
> 
> A flaw was found in the way BIND handles dynamic update message packets
> containing the "ANY" record type. A remote attacker could use this flaw to
> send a specially-crafted dynamic update packet that could cause named to
> exit with an assertion failure. (CVE-2009-0696)
> 
> Note: even if named is not configured for dynamic updates, receiving such
> a specially-crafted dynamic update packet could still cause named to exit
> unexpectedly.
> 
> This update also fixes the following bug:
> 
> * when running on a system receiving a large number of (greater than 4,000)
> DNS requests per second, the named DNS nameserver became unresponsive, and
> the named service had to be restarted in order for it to continue serving
> requests. This was caused by a deadlock occurring between two threads that
> led to the inability of named to continue to service requests. This
> deadlock has been resolved with these updated packages so that named no
> longer becomes unresponsive under heavy load. (BZ#512668)
> 
> After installing the update, the BIND daemon (named) will be restarted 
> automatically.
> 
> SRPM:
>    bind-9.2.4-30.el4_8.4.src.rpm
> 
> i386:
>    bind-9.2.4-30.el4_8.4.i386.rpm
>    bind-chroot-9.2.4-30.el4_8.4.i386.rpm
>    bind-devel-9.2.4-30.el4_8.4.i386.rpm
>    bind-libs-9.2.4-30.el4_8.4.i386.rpm
>    bind-utils-9.2.4-30.el4_8.4.i386.rpm
> 
> x86_64:
>    bind-9.2.4-30.el4_8.4.x86_64.rpm
>    bind-chroot-9.2.4-30.el4_8.4.x86_64.rpm
>    bind-devel-9.2.4-30.el4_8.4.x86_64.rpm
>    bind-libs-9.2.4-30.el4_8.4.i386.rpm
>    bind-libs-9.2.4-30.el4_8.4.x86_64.rpm
>    bind-utils-9.2.4-30.el4_8.4.x86_64.rpm
> 
> -Connie Sieh
> -Troy Dawson


-- 
P. Larry Nelson (217-244-9855) | Systems/Network Administrator
461 Loomis Lab                 | High Energy Physics Group
1110 W. Green St., Urbana, IL  | Physics Dept., Univ. of Ill.
MailTo:[log in to unmask]        | http://www.roadkill.com/lnelson/
-------------------------------------------------------------------
  "Information without accountability is just noise."  - P.L. Nelson

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV