The rpm's are now up for SL 3.0.x For SL 5.x there was a quickfix. Different than a fastbug, this is more of a "oops, we didn't mean to do that." It is going out tonight as well. SL 5.x We have updated the Scientific Linux 5 packages in this advisory. The default and sample caching-nameserver configuration files have been updated so that they do not specify a fixed query-source port. Administrators wishing to take advantage of randomized UDP source ports should check their configuration file to ensure they have not specified fixed query-source ports. SRPMS: bind-9.3.4-6.0.2.P1.el5_2.src.rpm i386: bind-9.3.4-6.0.2.P1.el5_2.i386.rpm bind-chroot-9.3.4-6.0.2.P1.el5_2.i386.rpm bind-devel-9.3.4-6.0.2.P1.el5_2.i386.rpm bind-libbind-devel-9.3.4-6.0.2.P1.el5_2.i386.rpm bind-libs-9.3.4-6.0.2.P1.el5_2.i386.rpm bind-sdb-9.3.4-6.0.2.P1.el5_2.i386.rpm bind-utils-9.3.4-6.0.2.P1.el5_2.i386.rpm caching-nameserver-9.3.4-6.0.2.P1.el5_2.i386.rpm x86_64: bind-9.3.4-6.0.2.P1.el5_2.x86_64.rpm bind-chroot-9.3.4-6.0.2.P1.el5_2.x86_64.rpm bind-devel-9.3.4-6.0.2.P1.el5_2.i386.rpm bind-devel-9.3.4-6.0.2.P1.el5_2.x86_64.rpm bind-libbind-devel-9.3.4-6.0.2.P1.el5_2.i386.rpm bind-libbind-devel-9.3.4-6.0.2.P1.el5_2.x86_64.rpm bind-libs-9.3.4-6.0.2.P1.el5_2.i386.rpm bind-libs-9.3.4-6.0.2.P1.el5_2.x86_64.rpm bind-sdb-9.3.4-6.0.2.P1.el5_2.x86_64.rpm bind-utils-9.3.4-6.0.2.P1.el5_2.x86_64.rpm caching-nameserver-9.3.4-6.0.2.P1.el5_2.x86_64.rpm Troy Connie Sieh wrote: > Synopsis: Important: bind security update > CVE Names: CVE-2008-1447 > Description: > > The DNS protocol protects against spoofing attacks by requiring an attacker > to predict both the DNS transaction ID and UDP source port of a request. In > recent years, a number of papers have found problems with DNS > implementations which make it easier for an attacker to perform DNS > cache-poisoning attacks. > > Previous versions of BIND did not use randomized UDP source ports. If an > attacker was able to predict the random DNS transaction ID, this could make > DNS cache-poisoning attacks easier. In order to provide more resilience, > BIND has been updated to use a range of random UDP source ports. > (CVE-2008-1447) > > Note: This errata also updates SELinux policy to allow BIND to use random > UDP source ports. > > SL 3: > > Source: > bind-9.2.4-22.el3.src.rpm > > x86_64: > bind-9.2.4-22.el3.x86_64.rpm > bind-chroot-9.2.4-22.el3.x86_64.rpm > bind-devel-9.2.4-22.el3.x86_64.rpm > bind-libs-9.2.4-22.el3.x86_64.rpm > bind-utils-9.2.4-22.el3.x86_64.rpm > > SL 4: > > Source: > bind-9.2.4-28.0.1.el4.src.rpm > selinux-policy-targeted-1.17.30-2.150.el4.src.rpm > > i386: > bind-9.2.4-28.0.1.el4.i386.rpm > bind-chroot-9.2.4-28.0.1.el4.i386.rpm > bind-devel-9.2.4-28.0.1.el4.i386.rpm > bind-libs-9.2.4-28.0.1.el4.i386.rpm > bind-utils-9.2.4-28.0.1.el4.i386.rpm > > noarch: > selinux-policy-targeted-1.17.30-2.150.el4.noarch.rpm > selinux-policy-targeted-sources-1.17.30-2.150.el4.noarch.rpm > > x86_64: > bind-9.2.4-28.0.1.el4.x86_64.rpm > bind-chroot-9.2.4-28.0.1.el4.x86_64.rpm > bind-devel-9.2.4-28.0.1.el4.x86_64.rpm > bind-libs-9.2.4-28.0.1.el4.i386.rpm > bind-libs-9.2.4-28.0.1.el4.x86_64.rpm > bind-utils-9.2.4-28.0.1.el4.x86_64.rpm > > x86_64: > bind-9.2.4-28.0.1.el4.x86_64.rpm > bind-chroot-9.2.4-28.0.1.el4.x86_64.rpm > bind-devel-9.2.4-28.0.1.el4.x86_64.rpm > bind-libs-9.2.4-28.0.1.el4.i386.rpm > bind-libs-9.2.4-28.0.1.el4.x86_64.rpm > bind-utils-9.2.4-28.0.1.el4.x86_64.rpm > > SL 5: > > Source: > bind-9.3.4-6.0.1.P1.el5_2.src.rpm > selinux-policy-2.4.6-137.1.el5_2.src.rpm > > i386: > bind-9.3.4-6.0.1.P1.el5_2.i386.rpm > bind-chroot-9.3.4-6.0.1.P1.el5_2.i386.rpm > bind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm > bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm > bind-libs-9.3.4-6.0.1.P1.el5_2.i386.rpm > bind-sdb-9.3.4-6.0.1.P1.el5_2.i386.rpm > bind-utils-9.3.4-6.0.1.P1.el5_2.i386.rpm > caching-nameserver-9.3.4-6.0.1.P1.el5_2.i386.rpm > > noarch: > selinux-policy-2.4.6-137.1.el5_2.noarch.rpm > selinux-policy-devel-2.4.6-137.1.el5_2.noarch.rpm > selinux-policy-mls-2.4.6-137.1.el5_2.noarch.rpm > selinux-policy-strict-2.4.6-137.1.el5_2.noarch.rpm > selinux-policy-targeted-2.4.6-137.1.el5_2.noarch.rpm > > x86_64: > bind-9.3.4-6.0.1.P1.el5_2.x86_64.rpm > bind-chroot-9.3.4-6.0.1.P1.el5_2.x86_64.rpm > bind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm > bind-devel-9.3.4-6.0.1.P1.el5_2.x86_64.rpm > bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.i386.rpm > bind-libbind-devel-9.3.4-6.0.1.P1.el5_2.x86_64.rpm > bind-libs-9.3.4-6.0.1.P1.el5_2.i386.rpm > bind-libs-9.3.4-6.0.1.P1.el5_2.x86_64.rpm > bind-sdb-9.3.4-6.0.1.P1.el5_2.x86_64.rpm > bind-utils-9.3.4-6.0.1.P1.el5_2.x86_64.rpm > caching-nameserver-9.3.4-6.0.1.P1.el5_2.x86_64.rpm > > -Connie Sieh -- __________________________________________________ Troy Dawson [log in to unmask] (630)840-6468 Fermilab ComputingDivision/LCSI/CSI DSS Group __________________________________________________