SCIENTIFIC-LINUX-ERRATA Archives

July 2008

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Security ERRATA for bind on SL 3.0.x , SL 4.x, SL 5.x
From:
Troy Dawson <[log in to unmask]>
Reply To:
Troy Dawson <[log in to unmask]>
Date:
Tue, 15 Jul 2008 15:53:24 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (149 lines) 
The rpm's are now up for SL 3.0.x

For SL 5.x there was a quickfix.  Different than a fastbug, this is more of a 
"oops, we didn't mean to do that."  It is going out tonight as well.

SL 5.x

We have updated the Scientific Linux 5 packages in this advisory. The
default and sample caching-nameserver configuration files have been updated
so that they do not specify a fixed query-source port. Administrators
wishing to take advantage of randomized UDP source ports should check their
configuration file to ensure they have not specified fixed query-source ports.

      SRPMS:
bind-9.3.4-6.0.2.P1.el5_2.src.rpm
      i386:
bind-9.3.4-6.0.2.P1.el5_2.i386.rpm
bind-chroot-9.3.4-6.0.2.P1.el5_2.i386.rpm
bind-devel-9.3.4-6.0.2.P1.el5_2.i386.rpm
bind-libbind-devel-9.3.4-6.0.2.P1.el5_2.i386.rpm
bind-libs-9.3.4-6.0.2.P1.el5_2.i386.rpm
bind-sdb-9.3.4-6.0.2.P1.el5_2.i386.rpm
bind-utils-9.3.4-6.0.2.P1.el5_2.i386.rpm
caching-nameserver-9.3.4-6.0.2.P1.el5_2.i386.rpm
      x86_64:
bind-9.3.4-6.0.2.P1.el5_2.x86_64.rpm
bind-chroot-9.3.4-6.0.2.P1.el5_2.x86_64.rpm
bind-devel-9.3.4-6.0.2.P1.el5_2.i386.rpm
bind-devel-9.3.4-6.0.2.P1.el5_2.x86_64.rpm
bind-libbind-devel-9.3.4-6.0.2.P1.el5_2.i386.rpm
bind-libbind-devel-9.3.4-6.0.2.P1.el5_2.x86_64.rpm
bind-libs-9.3.4-6.0.2.P1.el5_2.i386.rpm
bind-libs-9.3.4-6.0.2.P1.el5_2.x86_64.rpm
bind-sdb-9.3.4-6.0.2.P1.el5_2.x86_64.rpm
bind-utils-9.3.4-6.0.2.P1.el5_2.x86_64.rpm
caching-nameserver-9.3.4-6.0.2.P1.el5_2.x86_64.rpm

Troy

Connie Sieh wrote:
> Synopsis:          Important: bind security update
> CVE Names:         CVE-2008-1447
> Description:
> 
> The DNS protocol protects against spoofing attacks by requiring an attacker
> to predict both the DNS transaction ID and UDP source port of a request. In
> recent years, a number of papers have found problems with DNS
> implementations which make it easier for an attacker to perform DNS
> cache-poisoning attacks.
> 
> Previous versions of BIND did not use randomized UDP source ports. If an
> attacker was able to predict the random DNS transaction ID, this could make
> DNS cache-poisoning attacks easier. In order to provide more resilience,
> BIND has been updated to use a range of random UDP source ports.
> (CVE-2008-1447)
> 
> Note: This errata also updates SELinux policy to allow BIND to use random
> UDP source ports.
> 
> SL 3:
> 
> Source:
>         bind-9.2.4-22.el3.src.rpm
> 
> x86_64:
>         bind-9.2.4-22.el3.x86_64.rpm
>         bind-chroot-9.2.4-22.el3.x86_64.rpm
>         bind-devel-9.2.4-22.el3.x86_64.rpm
>         bind-libs-9.2.4-22.el3.x86_64.rpm
>         bind-utils-9.2.4-22.el3.x86_64.rpm
> 
> SL 4:
> 
> Source:
>         bind-9.2.4-28.0.1.el4.src.rpm
>         selinux-policy-targeted-1.17.30-2.150.el4.src.rpm
> 
> i386:
>         bind-9.2.4-28.0.1.el4.i386.rpm
>         bind-chroot-9.2.4-28.0.1.el4.i386.rpm
>         bind-devel-9.2.4-28.0.1.el4.i386.rpm
>         bind-libs-9.2.4-28.0.1.el4.i386.rpm
>         bind-utils-9.2.4-28.0.1.el4.i386.rpm
> 
> noarch:
>         selinux-policy-targeted-1.17.30-2.150.el4.noarch.rpm
>         selinux-policy-targeted-sources-1.17.30-2.150.el4.noarch.rpm
> 
> x86_64:
>         bind-9.2.4-28.0.1.el4.x86_64.rpm
>         bind-chroot-9.2.4-28.0.1.el4.x86_64.rpm
>         bind-devel-9.2.4-28.0.1.el4.x86_64.rpm
>         bind-libs-9.2.4-28.0.1.el4.i386.rpm
>         bind-libs-9.2.4-28.0.1.el4.x86_64.rpm
>         bind-utils-9.2.4-28.0.1.el4.x86_64.rpm
> 
> x86_64:
>         bind-9.2.4-28.0.1.el4.x86_64.rpm
>         bind-chroot-9.2.4-28.0.1.el4.x86_64.rpm
>         bind-devel-9.2.4-28.0.1.el4.x86_64.rpm
>         bind-libs-9.2.4-28.0.1.el4.i386.rpm
>         bind-libs-9.2.4-28.0.1.el4.x86_64.rpm
>         bind-utils-9.2.4-28.0.1.el4.x86_64.rpm
> 
> SL 5:
> 
> Source:
>         bind-9.3.4-6.0.1.P1.el5_2.src.rpm
>         selinux-policy-2.4.6-137.1.el5_2.src.rpm
> 
> i386:
>         bind-9.3.4-6.0.1.P1.el5_2.i386.rpm
>         bind-chroot-9.3.4-6.0.1.P1.el5_2.i386.rpm
>         bind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm
>         bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm
>         bind-libs-9.3.4-6.0.1.P1.el5_2.i386.rpm
>         bind-sdb-9.3.4-6.0.1.P1.el5_2.i386.rpm
>         bind-utils-9.3.4-6.0.1.P1.el5_2.i386.rpm
>         caching-nameserver-9.3.4-6.0.1.P1.el5_2.i386.rpm
> 
> noarch:
>         selinux-policy-2.4.6-137.1.el5_2.noarch.rpm
>         selinux-policy-devel-2.4.6-137.1.el5_2.noarch.rpm
>         selinux-policy-mls-2.4.6-137.1.el5_2.noarch.rpm
>         selinux-policy-strict-2.4.6-137.1.el5_2.noarch.rpm
>         selinux-policy-targeted-2.4.6-137.1.el5_2.noarch.rpm
> 
> x86_64:
>         bind-9.3.4-6.0.1.P1.el5_2.x86_64.rpm
>         bind-chroot-9.3.4-6.0.1.P1.el5_2.x86_64.rpm
>         bind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm
>         bind-devel-9.3.4-6.0.1.P1.el5_2.x86_64.rpm
>         bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm
>         bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.x86_64.rpm
>         bind-libs-9.3.4-6.0.1.P1.el5_2.i386.rpm
>         bind-libs-9.3.4-6.0.1.P1.el5_2.x86_64.rpm
>         bind-sdb-9.3.4-6.0.1.P1.el5_2.x86_64.rpm
>         bind-utils-9.3.4-6.0.1.P1.el5_2.x86_64.rpm
>         caching-nameserver-9.3.4-6.0.1.P1.el5_2.x86_64.rpm
> 
> -Connie Sieh


-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/LCSI/CSI DSS Group
__________________________________________________

ATOM RSS1 RSS2