Patch-ID# 107018-02
Keywords: security res_mkquery libresolv __confcheck in.named
Synopsis: SunOS 5.7: /usr/sbin/in.named patch
Date: Mar/14/00
Solaris Release: 7
SunOS Release: 5.7
Unbundled Product:
Unbundled Release:
Xref: This patch available for x86 as patch 107019
Topic: SunOS 5.7: /usr/sbin/in.named patch
NOTE: Refer to Special Install Instructions section for
IMPORTANT specific information on this patch.
BugId's fixed with this patch: 4134616 4299852
Changes incorporated in this version: 4299852
Relevant Architectures: sparc
Patches accumulated and obsoleted by this patch:
Patches which conflict with this patch:
Patches required with this patch: 106938-01
NOTE: (or newer)
Obsoleted by:
Files included with this patch:
/usr/sbin/in.named
Problem Description:
4299852 four vulnerabilities have been found in BIND.
(from 107018-01)
4134616 in.named can hang when calling res_mkquery
Patch Installation Instructions:
--------------------------------
For Solaris 2.0-2.6 releases, refer to the Install.info file and/or
the README within the patch for instructions on using the generic
'installpatch' and 'backoutpatch' scripts provided with each patch.
For Solaris 7 release, refer to the man pages for instructions on
using 'patchadd' and 'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions. The following example
installs a patch to a standalone machine:
example# patchadd /var/spool/patch/104945-02
The following example removes a patch from a standalone system:
example# patchrm 104945-02
For additional examples please see the appropriate man pages.
Special Install Instructions:
-----------------------------
NOTE 1: To get the complete fix for 4134616 (in.named can hang
when
calling res_mkquery), one needs to install the
libresolv patch,
106938-01 or newer.
NOTE 2: To get the complete fix for 4299852 (four
vulnerabilities in BIND)
one needs to install the libresolv patch, 106938-03
or newer.
--
Mike Ashcraft, Sr. Network Engineer
epixtech, Inc.
M.Ashcraft at epixtech.com
Sam.Wilson at ed
.ac.uk (Sam To: comp-protocols-dns-bind at moderators.isc.org
Wilson) cc:
Sent by: Subject: 8.1.2 vs 8.2.2p5 and Sun
news at scotsman
.ed.ac.uk
08/07/00
08:55 AM
A colleague runs Sun's BIND which announces itself as 8.1.2. I suggested
he ought to upgrade as per
<http://www.isc.org/products/BIND/bind-security-19991108.html>. A Sun
engineer replied to his asking about this by saying that Sun's patches
don't upgrade version numbers, but that all the 6 off the issues listed at
the ISC site will have been addressed by a patch (107018).
I'm slightly bemused because 8.1.2 isn't affected by 2 of the 6 problems
noted on that page, but I'm also worried because a) Sun's BIND is now
lying about its serial number (though in what might be a failsafe way) and
b) I'm not sure how much confidence we should place in Sun's mods to an
obsolete software package.
Anyone got any information to either relax me or make me lie awake at
nights?
--
Sam Wilson
Network Services Division, Computing Services
The University of Edinburgh
Edinburgh, Scotland, UK