Debians sikkerhedsbulletin

DSA-2054-1 bind9 -- DNS-cacheforgiftning

Rapporteret den:
4. jun 2010
Berørte pakker:
bind9
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2010-0097, CVE-2010-0290, CVE-2010-0382.
Yderligere oplysninger:

Flere cacheforgiftningssårbarheder er opdaget i BIND. Sårbarhederne er kun til stede hvis DNSSEC-validering er aktiveret og trust anchors er installeret, hvilket ikke er tilfældet som standard.

Projektet Common Vulnerabilities and Exposures har registreret følgende problemer:

  • CVE-2010-0097

    BIND validerede ikke på korrekt vis DNSSEC NSEC-poster, hvilket gjorde det muligt for fjernangribere at tilføje flaget Authenticated Data (AD) til et forfalsket NXDOMAIN-svar vedrørende et eksisterende domæne.

  • CVE-2010-0290

    Når fabrikerede svar indeholdene CNAME- eller DNAME-poster blev behandlet, var BIND udsat for en DNS-cacheforgiftningssårbarhed, forudsat at DNSSEC-validering var aktiveret og trust anchors installeret.

  • CVE-2010-0382

    Når visse svar indeholdende out-of-bailiwick-data blev behandlet, var BIND udsat for en DNS-cacheforgiftningssårbarhed, forudsat at DNSSEC-validering var aktiveret og trust anchors installeret.

Desuden introducerer opdateringen en mere konservativ opslagsvirkemåde ved gentagne DNSSEC-valideringsfejl, hvilket tager hånd om rul om på ryggen og dø-fænomenet. Den nye version understøtter også den kryptografiske algoritme, som anvendes af den kommende signerede ICANN DNS-root RSASHA256 fra RFC 5702) og NSEC3-sikre denial of existence-algoritme (nægtelse af eksistens), som anvendes af nogle signerede domæner på øverste niveau.

Opdateringen er baseret på en ny opstrømsversion af BIND 9, 9.6-ESV-R1. På grund af ændringernes omfang, anbefales det at være ekstra omhyggelig når opdateringen installeres. På grund af ABI-ændringer, medfølger nye Debian-pakker, og opdateringen skal installeres med apt-get dist-upgrade (eller en tilsvarende aptitude-kommando).

I den stabile distribution (lenny), er disse problemer rettet i version 1:9.6.ESV.R1+dfsg-0+lenny1.

I den ustabile distribution (sid), er disse problemer rettet i version 1:9.7.0.dfsg-1.

Vi anbefaler at du opgraderer dine bind9-pakker.

Rettet i:

Debian GNU/Linux 5.0 (lenny)

Kildekode:
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1.diff.gz
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg.orig.tar.gz
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1.dsc
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/b/bind9/bind9-doc_9.6.ESV.R1+dfsg-0+lenny1_all.deb
Alpha:
http://security.debian.org/pool/updates/main/b/bind9/libisc52_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-50_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres50_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc50_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg50_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns55_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny1_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc52_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc50_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg50_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-50_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns55_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres50_9.6.ESV.R1+dfsg-0+lenny1_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny1_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-50_9.6.ESV.R1+dfsg-0+lenny1_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.6.ESV.R1+dfsg-0+lenny1_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc50_9.6.ESV.R1+dfsg-0+lenny1_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny1_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg50_9.6.ESV.R1+dfsg-0+lenny1_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns55_9.6.ESV.R1+dfsg-0+lenny1_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny1_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny1_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres50_9.6.ESV.R1+dfsg-0+lenny1_arm.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc52_9.6.ESV.R1+dfsg-0+lenny1_arm.deb
ARM EABI:
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1_armel.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns55_9.6.ESV.R1+dfsg-0+lenny1_armel.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc50_9.6.ESV.R1+dfsg-0+lenny1_armel.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg50_9.6.ESV.R1+dfsg-0+lenny1_armel.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.6.ESV.R1+dfsg-0+lenny1_armel.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny1_armel.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-50_9.6.ESV.R1+dfsg-0+lenny1_armel.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres50_9.6.ESV.R1+dfsg-0+lenny1_armel.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny1_armel.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny1_armel.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny1_armel.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc52_9.6.ESV.R1+dfsg-0+lenny1_armel.deb
HP Precision:
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.6.ESV.R1+dfsg-0+lenny1_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny1_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny1_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg50_9.6.ESV.R1+dfsg-0+lenny1_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc50_9.6.ESV.R1+dfsg-0+lenny1_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres50_9.6.ESV.R1+dfsg-0+lenny1_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc52_9.6.ESV.R1+dfsg-0+lenny1_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-50_9.6.ESV.R1+dfsg-0+lenny1_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny1_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny1_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns55_9.6.ESV.R1+dfsg-0+lenny1_hppa.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny1_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny1_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres50_9.6.ESV.R1+dfsg-0+lenny1_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny1_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc52_9.6.ESV.R1+dfsg-0+lenny1_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny1_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc50_9.6.ESV.R1+dfsg-0+lenny1_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg50_9.6.ESV.R1+dfsg-0+lenny1_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns55_9.6.ESV.R1+dfsg-0+lenny1_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-50_9.6.ESV.R1+dfsg-0+lenny1_i386.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.6.ESV.R1+dfsg-0+lenny1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/b/bind9/libisc52_9.6.ESV.R1+dfsg-0+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-50_9.6.ESV.R1+dfsg-0+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres50_9.6.ESV.R1+dfsg-0+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns55_9.6.ESV.R1+dfsg-0+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc50_9.6.ESV.R1+dfsg-0+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg50_9.6.ESV.R1+dfsg-0+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny1_ia64.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.6.ESV.R1+dfsg-0+lenny1_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/b/bind9/libdns55_9.6.ESV.R1+dfsg-0+lenny1_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny1_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny1_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc52_9.6.ESV.R1+dfsg-0+lenny1_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg50_9.6.ESV.R1+dfsg-0+lenny1_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc50_9.6.ESV.R1+dfsg-0+lenny1_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres50_9.6.ESV.R1+dfsg-0+lenny1_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-50_9.6.ESV.R1+dfsg-0+lenny1_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.6.ESV.R1+dfsg-0+lenny1_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny1_mips.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny1_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/b/bind9/libdns55_9.6.ESV.R1+dfsg-0+lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc50_9.6.ESV.R1+dfsg-0+lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg50_9.6.ESV.R1+dfsg-0+lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-50_9.6.ESV.R1+dfsg-0+lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.6.ESV.R1+dfsg-0+lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres50_9.6.ESV.R1+dfsg-0+lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc52_9.6.ESV.R1+dfsg-0+lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/b/bind9/libisccfg50_9.6.ESV.R1+dfsg-0+lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc50_9.6.ESV.R1+dfsg-0+lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns55_9.6.ESV.R1+dfsg-0+lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc52_9.6.ESV.R1+dfsg-0+lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.6.ESV.R1+dfsg-0+lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres50_9.6.ESV.R1+dfsg-0+lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-50_9.6.ESV.R1+dfsg-0+lenny1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny1_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny1_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres50_9.6.ESV.R1+dfsg-0+lenny1_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny1_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/libdns55_9.6.ESV.R1+dfsg-0+lenny1_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg50_9.6.ESV.R1+dfsg-0+lenny1_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc50_9.6.ESV.R1+dfsg-0+lenny1_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.6.ESV.R1+dfsg-0+lenny1_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc52_9.6.ESV.R1+dfsg-0+lenny1_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-50_9.6.ESV.R1+dfsg-0+lenny1_s390.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/b/bind9/libdns55_9.6.ESV.R1+dfsg-0+lenny1_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind9-50_9.6.ESV.R1+dfsg-0+lenny1_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.6.ESV.R1+dfsg-0+lenny1_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/liblwres50_9.6.ESV.R1+dfsg-0+lenny1_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9utils_9.6.ESV.R1+dfsg-0+lenny1_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/libisc52_9.6.ESV.R1+dfsg-0+lenny1_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.6.ESV.R1+dfsg-0+lenny1_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccfg50_9.6.ESV.R1+dfsg-0+lenny1_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/libisccc50_9.6.ESV.R1+dfsg-0+lenny1_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.6.ESV.R1+dfsg-0+lenny1_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.6.ESV.R1+dfsg-0+lenny1_sparc.deb
http://security.debian.org/pool/updates/main/b/bind9/bind9_9.6.ESV.R1+dfsg-0+lenny1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.