Update to BIND Vulnerabilities

Mark_Andrews at isc.org Mark_Andrews at isc.org
Wed Jul 31 14:22:01 UTC 2002


Name: "OpenSSL buffer overflow"

Versions affected:
    BIND 9.1.
    BIND 9.2 if built with OpenSSL (configure --with-openssl). 
Severity: Medium
Exploitable: Remotely
Type: Potential execution of arbitrary code via buffer overflow. 

Description:

BIND 9.1.x ship with a copy of the vulnerable sections of OpenSSL crypto
library (obj_dat.c and asn1_lib.c).
Vendors shipping product based on BIND 9.1 should contact bind9-bugs at isc.org.

BIND 9.2.x is vulnerable if linked against a vulnerable library. By default
BIND 9.2 does not link against OpenSSL. 

Workarounds:

Disable DNSSEC validation of responses by commenting out any trusted keys in
named.conf. 

Fix:

Upgrade BIND 9.1.x to BIND 9.2.1 and/or link with fixed OpenSSL library
e.g. configure --with-openssl=/path/to/fixed/openssl
Link BIND 9.2.x with a fixed OpenSSL library. 

Active Exploits:

None known 
-- 
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE:	+61 2 9871 4742		         INTERNET: Mark.Andrews at isc.org


More information about the bind-announce mailing list