[TriLUG] DNS vulnerability - Upgrade to 8.3.3 if you use BIND
Jon Carnes
jonc at nc.rr.com
Fri Jun 28 20:36:15 EDT 2002
Got this from CERT today - there is an explotable buffer in one of the
resolver libraries used in BIND (and other applications that resolve DNS).
There is no upgrade for 9.2.1 yet...
Jon
===
Internet Software Consortium
All versions of BIND 4 from 4.8.3 prior to BIND 4.9.9 are
vulnerable.
All versions of BIND 8 prior to BIND 8.2.6 are vulnerable.
All versions of BIND 8.3.x prior to BIND 8.3.3 are vulnerable.
BIND versions BIND 9.2.0 and BIND 9.2.1 are vulnerable.
BIND version 4.8 does not appear to be vulnerable.
BIND versions BIND 9.0.x and BIND 9.1.x are not vulnerable.
'named' itself is not vulnerable.
Updated releases can be found at:
ftp://ftp.isc.org/isc/bind/src/4.9.9/
ftp://ftp.isc.org/isc/bind/src/8.2.6/
ftp://ftp.isc.org/isc/bind/src/8.3.3/
ftp://ftp.isc.org/isc/bind/contrib/ntbind-8.3.3/
BIND 9 contains a copy of the BIND 8.3.x resolver library
(lib/bind). This will be updated with the next BIND 9 releases
(9.2.2/9.3.0) in the meantime please use the original in BIND
8.3.3.
More information about the TriLUG
mailing list