OpenBSD Journal

bind CVE-2009-0025: incorrect DSA verification checks

Contributed by ray on from the CYA-again dept.

Damien Miller (djm@) wrote to security-announce@:

Some exploitable logic errors have been found in the bind nameserver's use of OpenSSL DSA verification functions. These errors may permit an attacker to bypass validation of DSA DNSSEC signatures.

This vulnerability has been designated CVE-2009-0025. More information is available from the ISC at:

https://www.isc.org/node/373
Source code patches are available for OpenBSD 4.3 and 4.4. -current has had an identical fix applied.

Patch for OpenBSD 4.3:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/008_bind.patch

Patch for OpenBSD 4.4:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/008_bind.patch

These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4 stable CVS branches.

Start patching again!

(Comments are closed)


Comments
  1. By Anonymous Coward (87.178.154.235) on

    Hurray! How I love that simple-and-easy patching procedure!

  2. By Steve Shockley (68.83.96.160) on

    As I understand it, this vulnerability only affects you if you're using DNSSEC.

    Comments
    1. By tedu (udet) on

      > As I understand it, this vulnerability only affects you if you're using DNSSEC.

      Yes, not sure why the first paragraph was snipped.

      "Some exploitable logic errors have been found in the bind nameserver's
      use of OpenSSL DSA verification functions. These errors may permit an
      attacker to bypass validation of DSA DNSSEC signatures."

      Comments

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]