Update to BIND Vulnerabilities
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Wed Jul 31 14:22:01 UTC 2002
Name: "OpenSSL buffer overflow"
Versions affected:
BIND 9.1.
BIND 9.2 if built with OpenSSL (configure --with-openssl).
Severity: Medium
Exploitable: Remotely
Type: Potential execution of arbitrary code via buffer overflow.
Description:
BIND 9.1.x ship with a copy of the vulnerable sections of OpenSSL crypto
library (obj_dat.c and asn1_lib.c).
Vendors shipping product based on BIND 9.1 should contact bind9-bugs at isc.org.
BIND 9.2.x is vulnerable if linked against a vulnerable library. By default
BIND 9.2 does not link against OpenSSL.
Workarounds:
Disable DNSSEC validation of responses by commenting out any trusted keys in
named.conf.
Fix:
Upgrade BIND 9.1.x to BIND 9.2.1 and/or link with fixed OpenSSL library
e.g. configure --with-openssl=/path/to/fixed/openssl
Link BIND 9.2.x with a fixed OpenSSL library.
Active Exploits:
None known
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-announce
mailing list