-----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-029 ================================= Topic: named(8) multiple denial of service and remote execution of code Version: NetBSD-current: November 15, 2002 NetBSD 1.6: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected pkgsrc: bind-4.9.10 and prior, bind-8.3.3 and prior Severity: Remote root compromise Fixed: NetBSD-current: November 15, 2002 NetBSD-1.6 branch: November 16, 2002 NetBSD-1.5 branch: November 16, 2002 pkgsrc: bind-4.9.10nb1, bind-8.3.3nb1 Abstract ======== named(8) version 8.3.3, which is shipped with NetBSD, is vulnerable to remote execution of malicious code, and multiple denial of service attacks. Technical Details ================= http://www.isc.org/products/BIND/bind-security.html See the sections named: BIND: Remote Execution of Code" and "BIND: Multiple Denial of Service Solutions and Workarounds ========================= If you are not running named(8), your system is not affected. BIND 9 is not affected by these vulnerabilities. Upgrading to BIND 9 is recommended. BIND 9 is available in the NetBSD Pkgsrc Collection (pkgsrc/net/bind9). Configuration files differ between BIND 8 and 9. Plan such a migration appropriately. BIND 8 servers with recursion disabled are not vulnerable to the `BIND SIG Cached RR Overflow Vulnerability' nor to the `BIND SIG Expiry Time DoS'. to disable recursion, edit the BIND 8 configuration file (default path /etc/namedb/named.conf) to add `recursion no;' and `fetch-glue no;' to the options statement as shown: options { recursion no; fetch-glue no; /* ... other options ... */ }; The following instructions describe how to upgrade your named binaries by updating your source tree and rebuilding and installing a new version of named. Be sure to restart running instance of named(8) after installation. * NetBSD-current: Systems running NetBSD-current dated from before 2002-11-15 should be upgraded to NetBSD-current dated 2002-11-15 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): dist/bind usr.sbin/bind To update from CVS, re-build, and re-install named: # cd src # cvs update -d -P dist/bind usr.sbin/bind # cd usr.sbin/bind # make obj dependall # make install * NetBSD 1.6: Systems running NetBSD 1.6 dated from before 2002-11-16 should be upgraded to NetBSD 1.6 dated 2002-11-16 or later. The following directories need to be updated from the netbsd-1-6 CVS branch: dist/bind usr.sbin/bind To update from CVS, re-build, and re-install named: # cd src # cvs update -d -P -r netbsd-1-6 dist/bind usr.sbin/bind # cd usr.sbin/bind # make obj dependall # make install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD 1.5, 1.5.1, 1.5.2 or 1.5.3 dated from before 2002-11-16 should be upgraded to NetBSD 1.5 dated 2002-11-16 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: dist/bind usr.sbin/bind To update from CVS, re-build, and re-install named: # cd src # cvs update -d -P -r netbsd-1-5 dist/bind usr.sbin/bind # cd usr.sbin/bind # make obj dependall # make install * pkgsrc bind-4.9.10 and prior, as well as bind-8.3.3 and prior are vulnerable. Upgrade to bind-4.9.10nb1, or bind-8.3.3nb1 (or later). Thanks To ========= FreeBSD Security-Officer, for portions of the workaround text. Revision History =============== 2002-11-20 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-029.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-029.txt,v 1.8 2002/11/20 01:35:33 simonb Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPdsDgT5Ru2/4N2IFAQHV1gQAgJSxPZovIGfy90IvKom+I+1oxms+eZ4x eJVuomo+xKtwRCtwaeJPPMLaxTrJ4zRlp2I27LXFEN90WaoV0IAWp2xMATtyhveu xOCRtX1YwAQcd3haZW+Mh8QP8quQVygNot2AaoosUE5ohvlc5FFsDEhJJ1eMRsEM sdq82xAOLxw= =Cz18 -----END PGP SIGNATURE-----